Bug#907888: opopenssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small"

Mon, 03 Sep 2018 09:27:21 -0700 

Package: openssl
Version: 1.1.1~~pre9-1
Severity: important

Dear Maintainer,
version 1.1.1~~pre9-1 of the openssl package breaks wpa_supplicant (and
NetworkManager) when using EAP TLS connections. In particular, launching:

> wpa_supplicant -dd -i wlp2s0 -c ./eduroam.conf

where /eduroam.conf is:

network={
  ssid="eduroam"
  key_mgmt=WPA-EAP
  pairwise=CCMP
  group=CCMP TKIP
  eap=TLS
  ca_cert="/tmp/ca.pem"
  identity="x...@xxx.xx"
  domain_suffix_match="wifi.polimi.it"
  private_key="/tmp/wifiCert_nopass.p12"
  private_key_passwd=""
}

I get the error (excerpt of the wpa_supplicant log, with username changed to
avoid disclosing sensitive info)

...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=x...@xxx.xx'
TLS: Got private key from PKCS12
TLS - SSL error: error:140C618F:SSL routines:SSL_use_certificate:ee key too
small
OpenSSL: tls_connection_private_key - Failed to load private key
error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/home/cugola/wifiCert_nopass.p12'
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
...

If I go back to openssl_1.1.0h-4_amd64.deb everything works fine. Here is
the same excerpt above when old version of the package is used:

...
EAP: EAP entering state GET_METHOD
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
TLS: Successfully parsed PKCS12 data
TLS: Got certificate from PKCS12:
subject='/C=IT/ST=Lombardia/L=Milano/O=Politecnico di Milano/OU=Area
Sistemi ICT/CN=x...@xxx.xx'
TLS: Got private key from PKCS12
OpenSSL: Reading PKCS#12 file --> OK
SSL: Private key loaded successfully
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
...

Please, do not hesitate contacting me for further tests.

Regards
  G.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.5-xps13 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssl depends on:
ii  libc6      2.27-5
ii  libssl1.1  1.1.1~~pre9-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20180409

-- no debconf information

Reply via email to