GNOME Bugzilla – Bug 569746
0.7 doesn't read multiple ca certificates
Last modified: 2009-10-16 02:41:19 UTC
Please describe the problem: Networkmanager 0.7 no longer reads multiple certificates from the ca certificate that is specified via nm-applet. This is required for the authentication case where a root ca certificate and an intermediary ca need to be specified. Using networkmanager 0.6.6 or using wpa_supplicant directly will work fine. I have tested this using the older 0.6.x and newer 0.7 versions on both redhat and ubuntu, as well as my own compiled version with the same results. Steps to reproduce: Create a pem certificate file with a root cert and an intermediary certificate in the same file, e.g: -----BEGIN CERTIFICATE----- encoded stuff ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- encoded stuff ... -----END CERTIFICATE----- Then try to connect using it. Actual results: Depending on the order of the certificates in the file, the error message reported by wpa_supplicant will be slightly different: CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected TLS: Certificate verification failed, error 2 (unable to get issuer certificate) depth 1 for '/C=US/O=blah1' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed -- or -- CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/O=blah2' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed To me this means that it is only reading one of the certificates and giving it to wpa_supplicant. Expected results: Does this happen every time? yes Other information:
If you add your certificates to your distros OpenSSL root certificate directory and set up the appropriate hashes, it should work correctly. NetworkManager sends the system's root CA directory to the supplicant, which in turn forwards it to OpenSSL. Multiple root certificates in a user-defined CA certificate file are no longer supported because they are insecure; but the system CA locations are secure and thus usable. (ex on Fedora, that's /etc/pki/tls/certs). Does this work for you? See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl.
While that explanation does make sense (could that be added to the faq or somewhere?), it does not fix the problem. I made sure that the certificates were installed properly, as using 'openssl verify host.crt' worked just fine, but if I removed either the root cert or the intermediary cert from the system location, the verify would fail. I verified this functionality on both ubuntu 8.10 and rhel 5.3. So I'm fairly certain I'm doing that part right. When using networkmanager, the same error messages appear as they did before any change was made to the system openssl certs. I would suspect that the intermediary cert is the one that should be specified in the gui, however I also tried to use the root cert in the gui just to check. From my observations, it doesn't appear that networkmanager is using the openssl system certs. Any other ideas?
This will be fixed in NM 0.8 when we start using paths to certificates instead.
This has been fixed in NM 0.8 with certificate paths.
*** Bug 594466 has been marked as a duplicate of this bug. ***