Cannot connect to eduroam on F36 due to openssl error

I cannot connect to eduroam on F36. Based on the logs, it seems to be because of an openssl error.

wpa_supplicant[1063]: wlp0s20f3: Associated with 7c:0e:ce:47:f5:3f
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
kernel: wlp0s20f3: Limiting TX power to 14 dBm as advertised by 7c:0e:ce:47:f5:3f
wpa_supplicant[1063]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[1063]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wpa_supplicant[1063]: wlp0s20f3: Authentication with 7c:0e:ce:47:f5:3f timed out.
kernel: wlp0s20f3: deauthenticating from 7c:0e:ce:47:f5:3f by local choice (Reason: 3=DEAUTH_LEAVING)
wpa_supplicant[1063]: BSSID 7c:0e:ce:47:f5:3f ignore list count incremented to 3, ignoring for 60 seconds
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid=7c:0e:ce:47:f5:3f reason=3 locally_generated=1
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=23 reason=AUTH_FAILED
wpa_supplicant[1063]: BSSID 7c:0e:ce:47:f5:3f ignore list count incremented to 4, ignoring for 120 seconds
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-DSCP-POLICY clear_all

I found another thread, but the resolution proposed there doesn’t work for me. Looking carefully, I get a different error:

wpa_supplicant[1063]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[1063]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol

I searched a bit, but didn’t get anywhere.


I also came across this RH blog, and found the corresponding option in man openssl.cnf and added the following:

[ alg_section ]

rh-allow-sha1-signatures

That didn’t work either. Did I misunderstand something? Is the alg_section a place holder for a section name, not literal?

2 Likes

this is indeed a different error to the one we debugged before.

I’ve posted on the devel mailing list now, so hopefully someone with enough OpenSSL knowledge will be able to help:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3P2WVSWW5BJEG4T2STRQPCLZWMTF4KIY/

2 Likes

Thanks @ankursinha !

This likely happens because your EAP server only supports old versions of SSL or TLS.

The blog post is a good starting point, except I’m unsure why you came to the conclusion that setting rh-allow-sha1-signatures explicitly was the correct answer.

Chances are your EAP server does not support TLS 1.2, which is required by the DEFAULT crypto-policy on Fedora (see here: policies/DEFAULT.pol · dfb10eac929780d02a368dc0fe6ebddddd2b4009 · redhat-crypto / fedora-crypto-policies · GitLab). Have you tried setting the crypto-policy to LEGACY using update-crypto-policies --set LEGACY? That should enable TLS >= 1.0 (see policies/LEGACY.pol · dfb10eac929780d02a368dc0fe6ebddddd2b4009 · redhat-crypto / fedora-crypto-policies · GitLab). (NB: URLs aren’t links because new users can only post a single link per post.)

Incidentally, switching the crypto-policy to LEGACY will also correctly add rh-allow-sha1-signatures to /etc/crypto-policies/back-ends/opensslcnf.config. Specifically, alg_section refers to the configuration value in the section named by openssl_conf that contains the name of the section that can contain rh-allow-sha1-signatures. That’s confusing, so here’s an example:

openssl_conf = openssl_init

[openssl_init]
alg_section = evp_properties

[evp_properties]
rh-allow-sha1-signatures = yes

Note that the default value of rh-allow-sha1-signatures is yes on Fedora. See Commit - rpms/openssl - 2fdd24a7245144606e3f3ddd67e64225be741324 - src.fedoraproject.org and its commit mesage.

If this isn’t solved by switching to the LEGACY crypto policy, I either misidentified the root cause, or your EAP server requires SSLv3. In any case, you should ask your university’s IT department to support modern TLS on their EAP server.

2 Likes

Thanks very much @clang (I’ve also edited your posts to make the links work). @fatka please let us know if this works for you or not.

Thanks @clang @ankursinha. Unfortunately, I’m a visitor at the University, and I will be back on location a few weeks from now. But I have other eduroam locations near me, I’ll check there this week. That way I can isolate whether it’s this one university, or if the issue is more common.

1 Like

Sorry for getting back so late. I couldn’t get back on location until now. I tried setting the crypto policy to legacy:

# update-crypto-policies --show 
LEGACY
# update-crypto-policies --check 
The configured policy matches the generated policy
# update-crypto-policies --is-applied
The configured policy is applied

After setting the policy, I also restarted NetworkManager using systemctl. However I still get the above issue. For now I have been connecting my Android phone to eduroam, and using USB tethering.