Description of problem: After updating to wpa_supplicant 2.4-3 on July 1, was unable to connect to my corporate wifi access point. Subsequent downgrade to wpa_supplicant 2.3-3 fixed access problem, so I think this is a wpa_supplicant bug Version-Release number of selected component (if applicable): wpa_supplicant 2.4-3 How reproducible: Upgrade to 2.4-3 try to access wpa/wpa2 wifi with TTLS authentication that has been working for well over a year now. Fails. Downgrade to 2.3-3 and it works again. Steps to Reproduce: See above 1. Select network in NetworkManager 2. Does not connect 3. Keeps asking for password Actual results: From /etc/wpa_supplicant.log after upgrade: wlp12s0: SME: Trying to authenticate with e0:1c:41:34:19:e9 (SSID='CICS' freq=5220 MHz) wlp12s0: Trying to associate with e0:1c:41:34:19:e9 (SSID='CICS' freq=5220 MHz) wlp12s0: Associated with e0:1c:41:34:19:e9 wlp12s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US wlp12s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp12s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 wlp12s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authori ty' hash=c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4 wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authori ty' hash=c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4 wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.g odaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287' hash=09ed6e991fc3273d8fea317d339c0204 1861973549cfa6e1558f411f11211aa3 wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control Validated/CN=cicsnc.org' hash=598c9bcc63d9e114262181d14 dfed5372381b7ae0eb762e701b689b0e309f9b7 wlp12s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:cicsnc.org wlp12s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:www.cicsnc.org wlp12s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:osx.cicsnc.org wlp12s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:osx2.cicsnc.org SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure OpenSSL: openssl_handshake - SSL_connect error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small wlp12s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlp12s0: Authentication with e0:1c:41:34:19:e9 timed out. wlp12s0: CTRL-EVENT-DISCONNECTED bssid=e0:1c:41:34:19:e9 reason=3 locally_generated=1 wlp12s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="CICS" auth_failures=1 duration=10 reason=AUTH_FAILED wlp12s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="CICS" auth_failures=2 duration=35 reason=CONN_FAILED After downgrade: wlp12s0: Trying to associate with e0:1c:41:34:19:e9 (SSID='CICS' freq=5220 MHz) wlp12s0: Associated with e0:1c:41:34:19:e9 wlp12s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp12s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US wlp12s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 wlp12s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authori ty' wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authori ty' wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.g odaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287' wlp12s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control Validated/CN=cicsnc.org' EAP-MSCHAPV2: Authentication succeeded wlp12s0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully wlp12s0: WPA: Key negotiation completed with e0:1c:41:34:19:e9 [PTK=CCMP GTK=CCMP] wlp12s0: CTRL-EVENT-CONNECTED - Connection to e0:1c:41:34:19:e9 completed [id=0 id_str=] wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-62 noise=9999 txrate=6000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-59 noise=9999 txrate=81000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-67 noise=9999 txrate=135000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-59 noise=9999 txrate=6000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-67 noise=9999 txrate=121500 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-61 noise=9999 txrate=135000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-67 noise=9999 txrate=6000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-61 noise=9999 txrate=6000 wlp12s0: CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-67 noise=9999 txrate=135000 Expected results: The latter results are expected Additional info: PEAP, TLS, other authentication protocols produced the same ssl handshake error (dh key too small). "No CA required" was checked in NetworkManager in both cases, but I'm not sure if I snipped out the right part of the wpa_supplicant log in the failure case--I was trying everything. The SSL handshake failure was consistent under all attempts to authenticate no matter what drop downs/boxes were selected in NetworkManager under 2.4-3. Now that I have it working, I am loathe to break it again.