wpa_supplicant 2.4 problems in dbus mode with pkcs11 engine

Thorsten Bonhagen thorsten.bonhagen at tbon.de
Sun Nov 12 01:23:24 PST 2017 

Hi,

found workaround for client-cert problem:
looks like adding two lines to Networkmanager config file fix the "cert 
not used problem"
client-cert-password=
client-cert-password-flags=0

regards



On 04.11.2017 00:02, dennis.knorr at gmx.net (dennis knorr) wrote:
> Hi,
> we currently work at the city of munich with wpa_supplicant 2.4 for
> 802.1x authentication for ubuntu clients and happened to spot a few
> problems. We currently evaluate it further, but wanted to notice the
> wpa_supplicant community of it and wanted to know if anyone else
> stumbled on it.
>
> We want to do 802.1x over wire and air with certificates in a
> pkcs11-container (softhsm2 for example) and use that via wpa_supplicant
> and networkmanager. currently the configuration to wpa_supplicant is
> given to networkmanager over dbus and our plattform is kubuntu 17.10.
>
> the client architecture looks like this:
> {x509 privatekey}--[imported]-->softhsm2
>                                     ^
>                                     |
>                                  p11-kit
>                                     ^
>                                     |
>                             [pkcs11-interface]
>                                     |
>                                     |
> networkmanager<--[dbus]-->wpa_supplicant<--[Air|Cable]-->RadiusServer
>
> The problems are:
> 1. Client crt cannot use pkcs11 uri.
> If a complete certificate is put into the pkcs11-container and called
> via its pkcs11-uri, wpa_supplicant is not able to retrieve the
> certificate and use it for 802.1x or WPA Enterprise. It only works, if
> only the private key is put into the pkcs11-container and this key is
> called by wpa_supplicant via pkcs11. It looks like wpa_supplicant does
> not even ask p11-kit for an engine to query the pkcs11-uri for a
> certificate.
>
> 2. After first successful use (private key query), the pkcs11 engine
> usage is broken for second usage.
> The first usage of the private key pkcs11 uri with wpa_supplicant for
> the authentication to the (802.1x)network is successful. When the
> wpa_supplicant wants to reauthenticate to the network and is not
> restarted (in dbus-mode), wpa_supplicants writes to syslog:
>
> ###
> Okt 30 06:09:21 tb8021x wpa_supplicant[923]: ENGINE: engine init failed
> (engine: pkcs11) [error:00000000:lib(0):func(0):reason(0)]
> Okt 30 06:09:21 tb8021x wpa_supplicant[923]: p11-kit: softhsm2: module
> failed to initialize, skipping: The module has already been initialized
> Okt 30 06:09:21 tb8021x wpa_supplicant[923]: Failed to enumerate slots
> ###
>
> After the wpasupplicant line there's the softhsm2 line, which shows the
> pkcs11 system cannot be initialized because it is ALREADY initialized.
> therefore we have the theory the the pkcs11 engine is not cleaned up
> after first use or not (correctly) reinitialized in the current context.
>
> The preparation for reproducing our stuff would look like this:
>
> * Server preparation: Radius with eap and x509 CA and server crt.
> ** Managed switch with 802.1X support and configured to use radius  server.
> ** Wifi accesspoint with wpa enterprise configured to use radius server.
> * Client preparation: kde5 + networkmanager + plasma-nm + wpa_supplicant
> 2.4 + openssl 1.0.x + libengine-pkcs11-openssl + softhsm2 + p11-kit +
> p11tool (Kubuntu 17.10)
> ** x509 client crt matching CA. Radius matching files stored: client crt
> + private key + CA.
> ** Softhsm2 storage token for client crt and private key with root
> access (via global config softhsm2).
> ** p11-kit module for softhsm2 configured.
> ** openssl pkcs11 library installed and linked correctly to be able to
> load from openssl.
> ** openssl should be able to use softhsm2 via pkcs11 engine lib.
>
>
> Our Client networkmanager profiles are as shown:
> 1.) LAN 802.1x config with files only (CA + client cert + private key)
> 2.) LAN 802.1x config with pkcs11 for private key only
> 3.) LAN 802.1x config with pkcs11 for client cert only
> 4.) LAN 802.1x config with pkcs11 for client cert and private key
>
> 5.) WIFI WPA Enterprise config with files only (CA + client cert +
> private key)
> 6.) WIFI WPA Enterprise config with pkcs11 for private key only
> 7.) WIFI WPA Enterprise config with pkcs11 for client cert only
> 8.) WIFI WPA Enterprise config with pkcs11 for client cert and private key
>
> Results:
> Working config without any limitations: 1 + 5
> Working config after wpa_supplicant ist restarted: 2 + 6
> Not working configs: 3+4+7+8
>
> We thought this would be a common setup and expected it to work, but it
> looks like, there are some bugs in the combination
> pkcs11+wpa_supplicant+networkmanager. If you need/want, we could provide
> some initializiation scripts for the client side, which set up the
> client configuration. Server configuration would take a bit long, since
> we do not maintain the server side (network admin guys with cisco stuff)
> or how to "emulate" 802.1x-over-wire/air-authentication with virtual
> machines for reproduction for example if anyone is interested.
>
> We will further work on this but wanted to know whether some of you
> experienced this or have any hints for us. We would be also glad if this
> starts a discussion about the interaction of the different components,
> since this is not very transparent for newcomers.
>
> Yours,
> the limux guys.

More information about the Hostap mailing list