[Pkg-openssl-devel] Bug#883025: Breaks wpa_supplicant on WPA-Enterprise networks

[Josh Triplett]

Package: libssl1.1
Version: 1.1.0g-2
Severity: important
Tags: upstream

See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL
breaks compatibility with the hook mechanism that wpa_supplicant used to
provide the passphrase for PEM keys. The net result is this:

wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
wpa_supplicant[7178]: Enter PEM pass phrase:
wpa_supplicant[7178]: OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
wpa_supplicant[7178]: OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
wpa_supplicant[7178]: OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
wpa_supplicant[7178]: TLS: Failed to load private key '/home/josh/.cert/priv-key-machine.pem'
wpa_supplicant[7178]: TLS: Failed to set TLS connection parameters
wpa_supplicant[7178]: EAP-TLS: Failed to initialize SSL.
wpa_supplicant[7178]: wlp4s0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Note the "Enter PEM pass phrase:" prompt, caused by wpa_supplicant not having
an opportunity (via hooks) to supply the passphrase.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libssl1.1 depends on:
ii  debconf [debconf-2.0]  1.5.65
ii  libc6                  2.25-2

libssl1.1 recommends no packages.

libssl1.1 suggests no packages.

-- debconf information excluded