Getting TLS-related information about a PEAP connection from wpa_supplicant
Arsen Arsenović
arsen at aarsen.me
Wed Nov 29 08:00:52 PST 2023
Jouni Malinen <j at w1.fi> writes:
> On Sun, Nov 26, 2023 at 10:52:54AM +0100, Arsen Arsenović wrote:
>> I'm trying to debug a connection failure from some systems onto our
>> PEAP-connected network.
>>
>> I've identified that the cause of the issue is that OpenSSL 3, present
>> some of the systems that fail to connect, has a higher default SECLEVEL
>> and/or minimum protocol version than previous versions.
>>
>> I have reason to suspect that our PEAP infrastructure uses severely
>> outdated TLS, and so that OpenSSL is acting correctly, and would like to
>> confirm this suspicion and submit an analysis and request to upgrade to
>> our network administrators.
>>
>> Can I fetch information about the PEAP TLS session (TLS version, ciphers
>> in use, ...) from wpa_supplicant?
>
> It is unfortunately very common for deployed RADIUS authentication
> servers to use old (and in many cases, _really_ old) TLS implementations
> and protocol features.. While the best way to address this would be to
> update the authentication server, that is not always practical for the
> users of the network to get done and as such, wpa_supplicant does allow
> SELEVEL to be dropped as a workaround with the openssl_ciphers
> configuration parameter.
I've recovered the following logs from a failed connect attempt:
OpenSSL: RX ver=0x301 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=81): [REMOVED]
OpenSSL: Server selected cipher suite 0x2f
OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=21 (alert/)
OpenSSL: Message - hexdump(len=2): [REMOVED]
SSL: (where=0x4008 ret=0x246)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
EAP: Status notification: local TLS alert (param=protocol version)
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in error
OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
SSL: 7 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
SSL: Failed - tls_out available to report error (len=7)
... which would mean TLSv1.2 is used, I believe. I suspect the
ciphersuites are too old.
> The easiest way to get comprehensive information from from failed PEAP
> authentication attempts is using the stdout debug facility by adding -dd
> on the wpa_supplicant command line. That might be doable with
> distribution specific mechanisms in some other ways as well by
> configuring debug verbosity to MSGDUMP (or even DEBUG would likely be
> sufficient for most needs) and record debug log into the system log
> files.
Indeed, I did that for the above. Thanks.
Have a lovely day.
--
Arsen Arsenović
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20231129/c90f6eb5/attachment-0001.sig>
More information about the Hostap
mailing list