GNOME Bugzilla – Bug 649807
802.1X auth fails because of failed certificate validation
Last modified: 2011-07-19 19:01:46 UTC
Hi Folks! I'm on archlinux and NM got bumped to 0.8.999 [1] today. As a result I could not log on to our campus network anymore which uses 802.1X auth (EAP-TTLS and PAP). After some digging i realized that the problem was that wpa_supplicant got fed a certificate file which seems bogus to me: $ sudo cat /etc/NetworkManager/system-connections/b8da4165-f6ea-4431-a43e-bf6ccf5ae727-ca-cert.pem Password: /etc/ssl/certs/deutsche-telekom-root-ca-2.pem wpa_supplicant (0.7.3-3 [2]) can't cope with this kind of "softlink": OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data OpenSSL: pending error: error:0B06F00D:x509 certificate routines:X509_load_cert_file:ASN1 lib TLS: Failed to set TLS connection parameters A work around for me is to create a "real" softlink to the mentioned cert. Please let me know if you need further information. Cheers Sven [1]: https://www.archlinux.de/?page=PackageDetails;repo=extra;arch=i686;pkgname=networkmanager [2]: https://www.archlinux.de/?page=PackageDetails;repo=core;arch=i686;pkgname=wpa_supplicant
Yeah, it shouldn't be doing that; though I wonder how that happened. Is 'nm-applet' running at all on your system?
Yep, it's running. Maybe this was some kind of transitional problem... Looking at my /etc/NetworkManager/system-services dir i saw these files: # ls -ahl total 20K drwxr-xr-x 2 root root 4.0K May 11 09:43 . drwxr-xr-x 4 root root 4.0K May 9 16:59 .. -rw------- 1 root root 612 May 9 12:58 Auto eduroam -rw------- 1 root root 293 May 9 12:58 Auto welcome -rw------- 1 root root 45 May 9 12:58 b8da4165-f6ea-4431-a43e-bf6ccf5ae727-ca-cert.pem [root@helmut system-connections]# cat Auto\ eduroam [connection] id=Auto eduroam uuid=b8da4165-f6ea-4431-a43e-bf6ccf5ae727 type=802-11-wireless permissions=user:sven:; timestamp=1304932361 [802-11-wireless] ssid=eduroam mode=infrastructure seen-bssids=00:1e:4a:bf:c3:00;00:27:0d:55:65:60;00:1e:4a:54:f6:f0;00:1e:4a:57:75:70;00:1e:4a:54:f5:c0;00:27:0d:56:10:b0; security=802-11-wireless-security [802-1x] eap=ttls; identity=sven.schober@uni-ulm.de anonymous-identity=anonymous@uni-ulm.de ca-cert=/etc/NetworkManager/system-connections/b8da4165-f6ea-4431-a43e-bf6ccf5ae727-ca-cert.pem phase2-auth=pap password-flags=1 [802-11-wireless-security] key-mgmt=wpa-eap So i removed all of those, restartet nm, reconnected to eduroam with nm-applet an now i only got one file there: ]# ls -ahl total 12K drwxr-xr-x 2 root root 4.0K May 11 09:46 . drwxr-xr-x 4 root root 4.0K May 9 16:59 .. -rw------- 1 root root 498 May 11 09:46 eduroam And the ca-cert entry points to the right location: [root@helmut system-connections]# cat eduroam | grep ca-cert ca-cert=/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem So, sorry for the noise...
Well, this could indicate a bug in the connection import process for 0.9 (since all connections are now stored by NM itself, not by nm-applet), so I'd still like to see if I can track it down. I spent some time yesterday going over the code and didn't find anything in particular, I guess I'll keep looking.
Is there any chance you could dump your GConf with: gconftool-2 --dump /system/networking/connections and mail that to me privately? It contains a list of all your saved network connections, but if you like you can remove the non-Eduroam ones by doing something like: gconftool-2 --dump /system/networking/connections | grep -B 2 eduroam then look for the connection # in the <key> field, like this: <key>11/connection/id</key> <value> <string>CLEAR</string> and then use that number to just dump the eduroam connection like so: gconftool-2 --dump /system/networking/connections/11 and then mail that, or if you don't mind, attach it to this bug report. I'm very interested to see what's in GConf, and thus what got imported to NetworkManager the first time you ran 0.9. That could give us a clue as to what went wrong. Thanks!
Created attachment 187695 [details] GConf connection dump Hi Dan! I've followed your suggestion and dumped the conecction info and had a quick look what's in the dump. The uuid corresponds to the pem-file name i saw in /etc/NetworkManager/system-services. Hope that helps! Please let me know if you need anything else, i'll be glad to help :)
I was able to debug this today, and it appears to be an issue only if the original certificate path sent by nm-applet is not accessible to NetworkManager, or no longer exists on the system. So when you get these files, can you cat the .pem from /etc/NetworkManager/system-connections and see if the path pointed to by the contents actually exists? ie does /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem exist on your system, and is it readable by root?
This should be fixed by d2ae0bac82d6239849d92c959bb707f9245e4fd6 in git master. But let me know whether the certificates that get written out wrongly for you here do actually exist or not.
Sven, does commit mentioned in comment#7 fix your problem ?
@Dan `/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem` exists (and existed) on my system and is readable by `root`, but it's a symlink to `/usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt`. @Akhil As the problem no longer occurs on my system and the problem is kind of hard to reproduce (must install old package version, set it up and then upgrade again) i refain somewhat from doing it :) But, if you think it's absolutely neccessary, i'd do it... Cheers Sven
nah, I'm pretty sure it's fixed now as part of recent NM 0.9 snapshots.