NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NetworkManager |
Expired
|
Wishlist
|
|||
network-manager (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
* Impact
Selecting AES-{192,256}-CBC keys to connect isn't working
* Test case
1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key.
That should work
* Regression potential
That's new code for an extra type of keys, it shouldn't impact existing options
--------------
NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.
CVE References
Changed in network-manager: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in network-manager (Ubuntu): | |
status: | Incomplete → New |
Changed in network-manager: | |
importance: | Medium → Wishlist |
status: | New → Confirmed |
description: | updated |
Changed in network-manager (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in network-manager (Ubuntu Bionic): | |
assignee: | nobody → Till Kamppeter (till-kamppeter) |
Changed in network-manager: | |
importance: | Wishlist → Unknown |
status: | Confirmed → Unknown |
Changed in network-manager: | |
importance: | Unknown → Wishlist |
status: | Unknown → Confirmed |
Changed in network-manager (Ubuntu Bionic): | |
assignee: | Till Kamppeter (till-kamppeter) → nobody |
no longer affects: | network-manager (Ubuntu Bionic) |
Changed in network-manager: | |
status: | Confirmed → Expired |
NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.
To test via nm-applet:
1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key. Even with the correct passphrase, the "Connect" button will remain disabled; debugging output will show that nm-util is failing to validate the private key.
Workaround for anyone running into this issue: Re-encrypt your key with DES-3. The incantation is "openssl rsa -in aes-key.pem -out working-key.pem -des3".