[Pkg-openssl-devel] Bug#907888: opopenssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small"
Gianpaolo Cugola
gianpaoloc at gmail.com
Mon Sep 3 17:26:05 BST 2018
Package: openssl
Version: 1.1.1~~pre9-1
Severity: important
Dear Maintainer,
version 1.1.1~~pre9-1 of the openssl package breaks wpa_supplicant (and
NetworkManager) when using EAP TLS connections. In particular, launching:
> wpa_supplicant -dd -i wlp2s0 -c ./eduroam.conf
where /eduroam.conf is:
network={
ssid="eduroam"
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP TKIP
eap=TLS
ca_cert="/tmp/ca.pem"
identity="xxx at xxx.xx"
domain_suffix_match="wifi.polimi.it"
private_key="/tmp/wifiCert_nopass.p12"
private_key_passwd=""
}
I get the error (excerpt of the wpa_supplicant log, with username changed to
avoid disclosing sensitive info)
...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=xxx at xxx.xx'
TLS: Got private key from PKCS12
TLS - SSL error: error:140C618F:SSL routines:SSL_use_certificate:ee key too
small
OpenSSL: tls_connection_private_key - Failed to load private key
error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/home/cugola/wifiCert_nopass.p12'
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
...
If I go back to openssl_1.1.0h-4_amd64.deb everything works fine. Here is
the same excerpt above when old version of the package is used:
...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=xxx at xxx.xx'
TLS: Got private key from PKCS12
OpenSSL: Reading PKCS#12 file --> OK
SSL: Private key loaded successfully
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
...
Please, do not hesitate contacting me for further tests.
Regards
G.
-- System Information:
Debian Release: buster/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.5-xps13 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.27-5
ii libssl1.1 1.1.1~~pre9-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20180409
-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20180903/8f0e3e98/attachment.html>
More information about the Pkg-openssl-devel
mailing list