Bug 670999 – NetworkManager does not appear to support AES-encrypted RSA private keys for WPA2 802.1X auth

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 670999 - NetworkManager does not appear to support AES-encrypted RSA private keys for WPA2 802.1X auth


Summary:	NetworkManager does not appear to support AES-encrypted RSA private keys for ...


Status:	RESOLVED OBSOLETE

Product:	NetworkManager
Classification:	Platform
Component:	Wi-Fi
Version:	0.9.x
Hardware:	Other Linux

Importance:	Normal enhancement
Target Milestone:	---
Assigned To:	Dan Williams
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-02-28 19:55 UTC by Walter Mundt
Modified:	2020-11-12 14:31 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Walter Mundt 2012-02-28 19:55:16 UTC

NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.

To test via nm-applet:

1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key. Even with the correct passphrase, the "Connect" button will remain disabled; debugging output will show that nm-util is failing to validate the private key.

Workaround for anyone running into this issue: Re-encrypt your key with DES-3.  The incantation is "openssl rsa -in aes-key.pem -out working-key.pem -des3".

Comment 1 Walter Mundt 2012-02-29 19:04:00 UTC

Specific version information, as requested on the Ubuntu bug at https://bugs.launchpad.net/network-manager/+bug/942856 and added here in case it's useful upstream:

Ubuntu Release: 11.10
network-manager version: 0.9.1.90-0ubuntu5.1
network-manager-gnome version: 0.9.1.90-0ubuntu6

FWIW, based on my cursory examination of the code, the issue does not appear to be introduced by any Ubuntu packages.

This may be classifiable as "enhancement" or "wishlist" depending on whether feature parity with openssl is part of the "current feature set" of the application.  Based on my searches today, there's no common standard for specifying anything more elaborate than a DES cipher in the DEK-Info header of a PEM file.

Still, it would be nice to at least have some kind of error message about the key format being unsupported instead of this case just getting treated as if the key passphrase is always incorrect by the UI.

Comment 2 André Klapper 2020-11-12 14:31:23 UTC

bugzilla.gnome.org is being shut down in favor of a GitLab instance. 
We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time.

If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/

Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).