Trouble connection to eduroam - openssl 1.1.0.e vs 1.0.2.l

Dan Williams dcbw at redhat.com
Fri May 26 12:57:38 PDT 2017


On Fri, 2017-05-26 at 17:54 +0100, Mauro Santos wrote:
> Hello,
> 
> Like the subject line says I'm having trouble connecting to an
> eduroam
> network. At first I was using the wpa_supplicant executable (version
> 2.6) provided by the distro (Arch Linux) but since it wasn't working
> I
> decided to try the latest git version.
> 
> Building the latest git version against openssl 1.1.0.e results in
> failed attempts to connect. If I use openssl 1.0.2.l I am able to
> connect successfully.
> 
> Could this be a problem due to some change in openssl?
> 
> The configuration file I've been using to test looks like this:
> 
> ap_scan=1
> p2p_disabled=1
> 
> network={
>         ssid="eduroam"
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         identity="myidentity at ipt.pt"
>         password="myplaintextpassword"
>         phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
>         phase2="auth=MSCHAPV2"
> }
> 
> As you can see this network is a special snowflake as the
> authentication
> server is broken and trying to connect fails if tlsv1.1 or tlsv1.2
> are
> enabled.
> 
> I don't have access to this network very often, typically once a
> week,
> would you need verbose logs to figure this out? How verbose do you
> need
> (-d or -dd)? Are there any extra configuration options that would
> help
> debug this?.

Use "-dddt" for max debugging with timestamps.  Make sure you scan the
logs for your password and remove that before sending to the list of
course.  It might also be in the hex bytes the supplicant dumps, so
check those too.

Dan

> I guess this is not much help but with the default verbosity level I
> get
> the following for an unsuccessful connection (with openssl 1.1.0.e)
> 
> Successfully initialized wpa_supplicant
> wlan0: SME: Trying to authenticate with 00:0b:86:ce:11:40
> (SSID='eduroam' freq=2462 MHz)
> wlan0: Trying to associate with 00:0b:86:ce:11:40 (SSID='eduroam'
> freq=2462 MHz)
> wlan0: Associated with 00:0b:86:ce:11:40
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> wlan0: Authentication with 00:0b:86:ce:11:40 timed out.
> wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:ce:11:40 reason=3
> locally_generated=1
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam"
> auth_failures=1
> duration=10 reason=AUTH_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"
> wlan0: SME: Trying to authenticate with 00:0b:86:c3:05:c2
> (SSID='eduroam' freq=2462 MHz)
> wlan0: Trying to associate with 00:0b:86:c3:05:c2 (SSID='eduroam'
> freq=2462 MHz)
> wlan0: Associated with 00:0b:86:c3:05:c2
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> wlan0: Authentication with 00:0b:86:c3:05:c2 timed out.
> wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:c3:05:c2 reason=3
> locally_generated=1
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam"
> auth_failures=2
> duration=23 reason=AUTH_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"
> wlan0: SME: Trying to authenticate with 00:0b:86:cf:d4:20
> (SSID='eduroam' freq=2462 MHz)
> wlan0: Trying to associate with 00:0b:86:cf:d4:20 (SSID='eduroam'
> freq=2462 MHz)
> wlan0: Associated with 00:0b:86:cf:d4:20
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> wlan0: Authentication with 00:0b:86:cf:d4:20 timed out.
> wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:cf:d4:20 reason=3
> locally_generated=1
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam"
> auth_failures=3
> duration=46 reason=AUTH_FAILED
> ^Cnl80211: deinit ifname=wlan0 disabled_11b_rates=0
> wlan0: CTRL-EVENT-TERMINATING
> 
> And I get this if I can connect successfully (with openssl 1.0.2.l):
> Successfully initialized wpa_supplicant
> wlan0: SME: Trying to authenticate with 00:0b:86:c3:05:c2
> (SSID='eduroam' freq=2462 MHz)
> wlan0: Trying to associate with 00:0b:86:c3:05:c2 (SSID='eduroam'
> freq=2462 MHz)
> wlan0: Associated with 00:0b:86:c3:05:c2
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: WPA: Failed to get master session key from EAPOL state
> machines -
> key handshake aborted
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=New
> Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
> Certification Authority'
> hash=1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA
> 2'
> hash=2ff1832de6f9506aac9d2c7757ea075764ec68cc9c70a0ece33ecc61607cbe43
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control
> Validated/CN=chaparro.ipt.pt'
> hash=254a6a1dd1af91acaf0e8239bb90655a4ddb334a08b08da44afb2a2b1546438c
> wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:chaparro.ipt.pt
> SSL: SSL3 alert: write (local SSL3 detected an
> error):fatal:unexpected_message
> OpenSSL: openssl_handshake - SSL_connect error:1408E0F4:SSL
> routines:ssl3_get_message:unexpected message
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: Authentication with 00:0b:86:c3:05:c2 timed out.
> wlan0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:c3:05:c2 reason=3
> locally_generated=1
> wlan0: SME: Trying to authenticate with 00:0b:86:ce:11:40
> (SSID='eduroam' freq=2462 MHz)
> wlan0: Trying to associate with 00:0b:86:ce:11:40 (SSID='eduroam'
> freq=2462 MHz)
> wlan0: Associated with 00:0b:86:ce:11:40
> wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
> wlan0: WPA: Failed to get master session key from EAPOL state
> machines -
> key handshake aborted
> wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
> wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=New
> Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
> Certification Authority'
> hash=1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1
> subject='/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA
> 2'
> hash=2ff1832de6f9506aac9d2c7757ea075764ec68cc9c70a0ece33ecc61607cbe43
> wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control
> Validated/CN=chaparro.ipt.pt'
> hash=254a6a1dd1af91acaf0e8239bb90655a4ddb334a08b08da44afb2a2b1546438c
> wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:chaparro.ipt.pt
> EAP-MSCHAPV2: Authentication succeeded
> EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
> wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed
> successfully
> wlan0: PMKSA-CACHE-ADDED 00:0b:86:ce:11:40 0
> wlan0: WPA: Key negotiation completed with 00:0b:86:ce:11:40
> [PTK=CCMP
> GTK=CCMP]
> wlan0: CTRL-EVENT-CONNECTED - Connection to 00:0b:86:ce:11:40
> completed
> [id=0 id_str=]
> 



More information about the Hostap mailing list