Ubuntu
wpasupplicant package

wpa_supplicant ignores failed CA certificate validation

Bug #673981 reported by Daniel Seither on 2010-11-11

280

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	wpasupplicant (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

Binary package hint: wpasupplicant

When using a wireless network in Network Manager using WPA2-EAP (PEAP, MSCHAPv2) and choosing a CA certificate in DER format, OpenSSL fails to load the certificate with the following error message in syslog:

wpa_supplicant[1667]: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)

However, the connection is not terminated. This is a major problem since the user is not aware that the certificate was not verified. Credentials may be sent to a rogue network --- an attack which would have been detected by the certificate check.

wpa_supplicant should either
1) support both DER and PEM (currently the error vanishes when using PEM) or
2) terminate the connection before sending credentials if the CA certificate cannot be loaded.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: wpasupplicant 0.6.10-2
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 11 12:39:28 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.utf8
SHELL=/bin/bash
SourcePackage: wpasupplicant

Tags:

Revision history for this message

Daniel Seither (tiwoc) wrote on 2010-11-11:

excerpt from syslog: establishing a connection to TU Darmstadt's eduroam network Edit (17.0 KiB, text/plain)
Dependencies.txt Edit (1021 bytes, text/plain; charset="utf-8")

visibility:

private → public

Marc Deslauriers (mdeslaur) on 2010-11-22

Changed in wpasupplicant (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

Felix Eckhofer (eckhofer) wrote on 2011-03-23:

Additionally, it seems when the PEM-Cert does not have the .pem file name extension it is not verified as well (*.crt for example).

Revision history for this message

thinkpad (fellowsgarden) wrote on 2011-05-24:

PEM is king.

also make sure the wpa_supplicant openssl engine is installed.

I'm pretty sure that one of the two helped solve my wlan problems with natty at uni.

(sorry, but I think this is at least semi-relevant to this bug report :)

Revision history for this message

thinkpad (fellowsgarden) wrote on 2011-06-07:

sorry for radio-silence: the steps above might (have) help(ed), but definitely _NOT_ reliably / noticeably :-( I'm still looking for a way to disable fast reauth in wpa_supplicant.conf - a file which I can't find: does one need to create it first?

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuwpasupplicant package

wpa_supplicant ignores failed CA certificate validation

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
wpasupplicant package