Issues using FIPS built wpa_supplicant "FIPS mode requested, but not supported"
Steven LaCosse
steven.lacosse at motorolasolutions.com
Fri May 31 11:22:11 PDT 2024
Hi All,
I'm having issues with trying to use wired 802.1x using EAP - TLS on a
FIPS enabled Ubuntu 22.04 machine. The radius server for
authentication is using cert based authentiation. The Radius Server is
using high level ciphers and forcing TLS 1.2
This configuration works when the machine does not have fips enabled
(openssl fips).
Enabling FIPS, which installs a FIPS validated openssl,resulted in the
issue of Ubuntu 22.04 packaged wpa_supplicant with the following
issue:
wpa_supplicant[19782]: SSL: SSL3 alert: write (local SSL3 detected an
error):fatal:internal error
wpa_supplicant[19782]: OpenSSL: openssl_handshake - SSL_connect
error:1C800073:Provider routines::invalid data
wpa_supplicant[19782]: OpenSSL: pending error: error:0A0C0103:SSL
routines::internal error
I believe the cause is wpa supplicant us trying to unsafe ciphers in
initial handshake.
This led me to try to build wpa_supplicant with the configuration flag
of CONFIG_FIPS=y
I can get this to build as I just need 802.1x and EAP TLS for my
needs. However, when I try using the FIPS configured wpa_supplicant, I
get an exception code.
Resulting in the following:
wpa_supplicant -D wired -B -i eno1 -dd -c wpa-eno1.conf
Add interface eno1 to a new radio N/A
eno1: Own MAC address: 70:5a:0f:43:7c:eb
eno1: RSN: flushing PMKID list in the driver
eno1: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eno1: WPS: UUID based on MAC address: 0487e092-9670-5840-809d-2f1d906636f7
FIPS mode requested, but not supported
SSL: Failed to initialize TLS context.
Failed to initialize EAPOL state machines.
Failed to add interface eno1
eno1: Request to deauthenticate - bssid=00:00:00:00:00:00
pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING)
state=DISCONNECTED valid_links=0x0 ap_mld_addr=00:00:00:00:00:00
TDLS: Tear down peers
eno1: State: DISCONNECTED -> DISCONNECTED
QM: Clear all active DSCP policies
eno1: CTRL-EVENT-DSCP-POLICY clear_all
eno1: WPA: Clear old PMK and PTK
eno1: Cancelling scan request
eno1: Cancelling authentication timeout
Off-channel: Clear pending Action frame TX (pending_action_tx=(nil)
Off-channel: Action frame sequence done notification:
pending_action_tx=(nil) drv_offchan_tx=0 action_tx_wait_time=0
off_channel_freq=0 roc_waiting_drv_freq=0
QM: Clear all active DSCP policies
eno1: CTRL-EVENT-DSCP-POLICY clear_all
Remove interface eno1 from radio
Remove radio
Any suggestions to get it to work in FIPS mode? I've tried taking the
debian config and trying to build as similar as I can.
Thanks!
--
*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
More information about the Hostap
mailing list