Bug#907888: marked as done (opopenssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small")

Tue, 27 Nov 2018 14:33:37 -0800 

Your message dated Tue, 27 Nov 2018 23:31:33 +0100
with message-id <20181127223131.yhloino2neekb...@breakpoint.cc>
and subject line Re: [Pkg-openssl-devel] Bug#907888: Bug#907888: openssl: 
Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too 
small"
has caused the Debian Bug report #907888,
regarding opopenssl: Breaks wpa_supplicant (and NetworkManager) which fail with 
error "ee key too small"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
907888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907888
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openssl
Version: 1.1.1~~pre9-1
Severity: important

Dear Maintainer,
version 1.1.1~~pre9-1 of the openssl package breaks wpa_supplicant (and
NetworkManager) when using EAP TLS connections. In particular, launching:

> wpa_supplicant -dd -i wlp2s0 -c ./eduroam.conf

where /eduroam.conf is:

network={
  ssid="eduroam"
  key_mgmt=WPA-EAP
  pairwise=CCMP
  group=CCMP TKIP
  eap=TLS
  ca_cert="/tmp/ca.pem"
  identity="x...@xxx.xx"
  domain_suffix_match="wifi.polimi.it"
  private_key="/tmp/wifiCert_nopass.p12"
  private_key_passwd=""
}

I get the error (excerpt of the wpa_supplicant log, with username changed to
avoid disclosing sensitive info)

...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=x...@xxx.xx'
TLS: Got private key from PKCS12
TLS - SSL error: error:140C618F:SSL routines:SSL_use_certificate:ee key too
small
OpenSSL: tls_connection_private_key - Failed to load private key
error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/home/cugola/wifiCert_nopass.p12'
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
...

If I go back to openssl_1.1.0h-4_amd64.deb everything works fine. Here is
the same excerpt above when old version of the package is used:

...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=x...@xxx.xx'
TLS: Got private key from PKCS12
OpenSSL: Reading PKCS#12 file --> OK
SSL: Private key loaded successfully
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
...

Please, do not hesitate contacting me for further tests.

Regards
  G.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.5-xps13 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssl depends on:
ii  libc6      2.27-5
ii  libssl1.1  1.1.1~~pre9-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20180409

-- no debconf information

--- End Message ---
--- Begin Message --- 
On 2018-09-05 23:32:10 [+0200], Kurt Roeckx wrote:
> On Tue, Sep 04, 2018 at 11:41:48AM +0200, Gianpaolo Cugola wrote:
> > 
> > 1. Administrators of big organizations are usually reluctant to change
> > their certificates
> 
> Can you at least try to contact them?
Please do so.

Closing, there is a "workaround" to lower the security requirements on
the client side.
 
> Kurt
Sebastian

--- End Message ---

Reply via email to