Trouble connection to eduroam - openssl 1.1.0.e vs 1.0.2.l

Mauro Santos registo.mailling at gmail.com
Fri May 26 09:54:49 PDT 2017 

Hello,

Like the subject line says I'm having trouble connecting to an eduroam
network. At first I was using the wpa_supplicant executable (version
2.6) provided by the distro (Arch Linux) but since it wasn't working I
decided to try the latest git version.

Building the latest git version against openssl 1.1.0.e results in
failed attempts to connect. If I use openssl 1.0.2.l I am able to
connect successfully.

Could this be a problem due to some change in openssl?

The configuration file I've been using to test looks like this:

ap_scan=1
p2p_disabled=1

network={
        ssid="eduroam"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="myidentity at ipt.pt"
        password="myplaintextpassword"
        phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
        phase2="auth=MSCHAPV2"
}

As you can see this network is a special snowflake as the authentication
server is broken and trying to connect fails if tlsv1.1 or tlsv1.2 are
enabled.

I don't have access to this network very often, typically once a week,
would you need verbose logs to figure this out? How verbose do you need
(-d or -dd)? Are there any extra configuration options that would help
debug this?.

I guess this is not much help but with the default verbosity level I get
the following for an unsuccessful connection (with openssl 1.1.0.e)

Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:0b:86:ce:11:40
(SSID='eduroam' freq=2462 MHz)
wlan0: Trying to associate with 00:0b:86:ce:11:40 (SSID='eduroam'
freq=2462 MHz)
wlan0: Associated with 00:0b:86:ce:11:40
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlan0: Authentication with 00:0b:86:ce:11:40 timed out.
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:ce:11:40 reason=3
locally_generated=1
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1
duration=10 reason=AUTH_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"
wlan0: SME: Trying to authenticate with 00:0b:86:c3:05:c2
(SSID='eduroam' freq=2462 MHz)
wlan0: Trying to associate with 00:0b:86:c3:05:c2 (SSID='eduroam'
freq=2462 MHz)
wlan0: Associated with 00:0b:86:c3:05:c2
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlan0: Authentication with 00:0b:86:c3:05:c2 timed out.
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:c3:05:c2 reason=3
locally_generated=1
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2
duration=23 reason=AUTH_FAILED
wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"
wlan0: SME: Trying to authenticate with 00:0b:86:cf:d4:20
(SSID='eduroam' freq=2462 MHz)
wlan0: Trying to associate with 00:0b:86:cf:d4:20 (SSID='eduroam'
freq=2462 MHz)
wlan0: Associated with 00:0b:86:cf:d4:20
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlan0: Authentication with 00:0b:86:cf:d4:20 timed out.
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:cf:d4:20 reason=3
locally_generated=1
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=3
duration=46 reason=AUTH_FAILED
^Cnl80211: deinit ifname=wlan0 disabled_11b_rates=0
wlan0: CTRL-EVENT-TERMINATING

And I get this if I can connect successfully (with openssl 1.0.2.l):
Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:0b:86:c3:05:c2
(SSID='eduroam' freq=2462 MHz)
wlan0: Trying to associate with 00:0b:86:c3:05:c2 (SSID='eduroam'
freq=2462 MHz)
wlan0: Associated with 00:0b:86:c3:05:c2
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: WPA: Failed to get master session key from EAPOL state machines -
key handshake aborted
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority'
hash=1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1
subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2'
hash=2ff1832de6f9506aac9d2c7757ea075764ec68cc9c70a0ece33ecc61607cbe43
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control
Validated/CN=chaparro.ipt.pt'
hash=254a6a1dd1af91acaf0e8239bb90655a4ddb334a08b08da44afb2a2b1546438c
wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:chaparro.ipt.pt
SSL: SSL3 alert: write (local SSL3 detected an
error):fatal:unexpected_message
OpenSSL: openssl_handshake - SSL_connect error:1408E0F4:SSL
routines:ssl3_get_message:unexpected message
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: Authentication with 00:0b:86:c3:05:c2 timed out.
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:c3:05:c2 reason=3
locally_generated=1
wlan0: SME: Trying to authenticate with 00:0b:86:ce:11:40
(SSID='eduroam' freq=2462 MHz)
wlan0: Trying to associate with 00:0b:86:ce:11:40 (SSID='eduroam'
freq=2462 MHz)
wlan0: Associated with 00:0b:86:ce:11:40
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: WPA: Failed to get master session key from EAPOL state machines -
key handshake aborted
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority'
hash=1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1
subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2'
hash=2ff1832de6f9506aac9d2c7757ea075764ec68cc9c70a0ece33ecc61607cbe43
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control
Validated/CN=chaparro.ipt.pt'
hash=254a6a1dd1af91acaf0e8239bb90655a4ddb334a08b08da44afb2a2b1546438c
wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:chaparro.ipt.pt
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlan0: PMKSA-CACHE-ADDED 00:0b:86:ce:11:40 0
wlan0: WPA: Key negotiation completed with 00:0b:86:ce:11:40 [PTK=CCMP
GTK=CCMP]
wlan0: CTRL-EVENT-CONNECTED - Connection to 00:0b:86:ce:11:40 completed
[id=0 id_str=]

-- 
Mauro Santos

More information about the Hostap mailing list