Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501828 - net-wireless/wpa_supplicant-2.1 fails to connect with the same config as 2.0-r2
Summary: net-wireless/wpa_supplicant-2.1 fails to connect with the same config as 2.0-r2
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Bjarke Istrup Pedersen (RETIRED)
URL:
Whiteboard:
Keywords:
: 501934 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-02-19 21:38 UTC by James Cline
Modified: 2014-02-25 14:20 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
NetworkManager config of failing wireless LAN (eduroam,477 bytes, text/plain)
2014-02-21 11:46 UTC, Martin Wegner 		Details
Log file of failed connection attempt. (eduroam-wpa_supplicant.log,27.00 KB, text/plain)
2014-02-21 11:47 UTC, Martin Wegner 		Details
Hacked ebuild to use their git repo (wpa_supplicant-2.1-r1.ebuild,9.19 KB, text/plain)
2014-02-24 22:25 UTC, James Cline 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description James Cline 2014-02-19 21:38:19 UTC 
I recently tried upgrading wpa_supplicant to the latest unstable version, 2.1, and it fails to connect using an existing configuration that worked with 2.0. Downgrading to 2.0-r2, without changing anything else, allows me to connect again. Other WPA2 networks work fine, but they don't use MSCHAPv2. I don't have another network using MSCHAPv2 to test against.

I'm unsure if this is a bug in wpa_supplicant itself or not, but I thought I'd start here. I tried changing my USE flags to -gnutls +ssl and still had the issue.

Redacted conf:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
update_config=1
ap_scan=1

network={
   sid="*****"

   pairwise=CCMP
   group=CCMP

   proto=WPA2
   key_mgmt=WPA-EAP
   eap=PEAP
   phase2="auth=MSCHAPv2"

   identity="*****"
   password="*****"

   priority=2
}

Redacted output from wpa_cli when it attempts to connect:

<3>SME: Trying to authenticate with 55:55:55:55:55:55 (SSID='*****' freq=5825 MHz)
<3>Trying to associate with 55:55:55:55:55:55 (SSID='*****' freq=5825 MHz)
<3>Associated with 55:55:55:55:55:55
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='PEAP'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
<3>CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA'
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='success'
<3>CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA'
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='success'
<3>CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA'
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='success'
<3>CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/serialNumber=******* www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.aru
<3>CTRL-EVENT-EAP-TLS-CERT-ERROR reason=10 depth=0 subject='/serialNumber=******* /C=US/O=securelogin.arubanetworks.com/*******/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='Server used client certificate'
<3>CTRL-EVENT-EAP-STATUS status='local TLS alert' parameter='unknown CA'
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'


It seems like the pertinent line is:

<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='Server used client certificate'


Reproducible: Always

Steps to Reproduce:
1. Install wpa-supplicant-2.1
2. Attempt to connect to network with similar conf to the above

Actual Results:  
Fails to connect due to a cert error(?).

Expected Results:  
Connected

emerge --info wpa_supplicant
Portage 2.2.7 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.17, 3.10.25-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.10.25-gentoo-x86_64-Intel-R-_Core-TM-_i7-3667U_CPU_@_2.00GHz-with-gentoo-2.2
KiB Mem:     8012812 total,   6571652 free
KiB Swap:    7131132 total,   7131132 free
Timestamp of tree: Wed, 19 Feb 2014 01:30:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r3, 3.2.5-r3, 3.3.3
dev-util/cmake:           2.8.11.2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.10.3, 1.11.6, 1.12.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -ggdb"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe -march=native -ggdb"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe -march=native -ggdb"
GENTOO_MIRRORS="http://gentoo.llarian.net/ ftp://gentoo.llarian.net/pub/gentoo http://mirror.iawnet.sandia.gov/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
USE="10bit X aac aalib acl alsa amd64 apng bash-completion berkdb bindist bzip2 cjk cli cracklib crypt curl cxx dbus device-mapper dri exif flac fortran gdbm gif gnutls gtk gzip iconv ipv6 jpeg jpeg2k lame libass lzma mmx modules mp3 multilib ncurses nls nptl offensive ogg opengl openmp openssl pam pcre png readline rtmp sdl session sna speex sqlite sse sse2 sse4 sse4_1 sse4_2 ssl ssse3 svg tcpd theora threads tiff truetype unicode uxa v4l vim-syntax vmx vorbis x264 xcb xinerama xorg xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="lvm crypt debug dm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_US en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel i915" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

net-wireless/wpa_supplicant-2.1 was built with the following:
USE="dbus gnutls (multilib) readline ssl -ap -eap-sim -fasteap -p2p (-ps3) -qt4 (-selinux) -smartcard -wimax -wps" ABI_X86="64"
Comment 1 Mark Tomich 2014-02-20 18:34:14 UTC 
I have observed the same thing.  Downgrading to v2.0 fixes it.
Comment 2 Martin Wegner 2014-02-21 11:43:36 UTC 
I have the same issue with a WPA-EAP/TTLS/PAP wireless network (eduroam in Germany to be exact) while using wpa_supplicant and NetworkManager (with systemd). The connection to the wireless LAN fails since the upgrade to net-wireless/wpa_supplicant-2.1 .

I will attach the config of the wireless LAN and a log file of a failed connection attempt.

Workaround:

Downgrading to net-wireless/wpa_supplicant-2.0-r2 solves it *or* more importantly: emerging wpa_supplicant with gnutls instead of ssl USE-flag also works:

# USE='-ssl gnutls' emerge -a1v '=net-wireless/wpa_supplicant-2.1'
# systemctl restart wpa_supplicant NetworkManager
(connection to WLAN succeeds)

Versions of relevant packages:

$ emerge -pv openssl gnutls wpa_supplicant networkmanager
[ebuild   R    ] dev-libs/openssl-1.0.1f  USE="(sse2) tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 4,408 kB
[ebuild   R    ] net-wireless/wpa_supplicant-2.1  USE="dbus readline ssl -ap -eap-sim -fasteap -gnutls -p2p (-ps3) -qt4 (-selinux) -smartcard -wimax -wps" 0 kB
[ebuild   R    ] net-libs/gnutls-3.2.11  USE="crywrap cxx nls pkcs11 zlib -dane -doc -examples -guile -static-libs {-test}" LINGUAS="de en -cs -fi -fr -it -ms -nl -pl -sv -uk -vi -zh_CN" 5,015 kB
[ebuild   R    ] net-misc/networkmanager-0.9.8.8  USE="avahi bluetooth dhcpcd introspection modemmanager nss ppp systemd wext wifi -connection-sharing -consolekit -dhclient -gnutls -resolvconf {-test} -vala" 1,980 kB

$ emerge --info
Portage 2.2.8-r1 (default/linux/amd64/13.0/desktop/gnome, gcc-4.8.2, glibc-2.19, 3.13.3-gentoo-wotan x86_64)
=================================================================
System uname: Linux-3.13.3-gentoo-wotan-x86_64-Intel-R-_Core-TM-_i7-3520M_CPU_@_2.90GHz-with-gentoo-2.2
KiB Mem:     7921520 total,   2379156 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of tree: Thu, 20 Feb 2014 17:45:01 +0000
ld GNU ld (GNU Binutils) 2.24
ccache version 3.1.9 [disabled]
app-shells/bash:          4.2_p45-r1
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.6, 3.2.5-r3, 3.3.4
dev-util/ccache:          3.1.9-r3
dev-util/cmake:           2.8.12.2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.13.4, 1.14.1
sys-devel/binutils:       2.24-r2
sys-devel/gcc:            4.8.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           4.0-r1
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.19
Repositories: gentoo gentoo-haskell x-portage
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=1 --load-average=5"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs candy clean-logs config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="        http://mirror.opteamax.de/gentoo/       rsync://mirror.netcologne.de/gentoo/    http://gentoo.supp.name/        ftp://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/      http://ftp.uni-erlangen.de/pub/mirrors/gentoo         ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo"
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4 -l4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/haskell /usr/local/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 amr avahi berkdb bluetooth branding bzip2 cairo cdda cdr cli colord cracklib crypt cryptsetup cups cxx dbus dirac divx dri dts dvb dvd dvdr emboss encode exif faac faad fam fat ffmpeg firefox flac fuse gdbm gif gnome gnome-keyring gnome-online-accounts gstreamer gtk gtk3 iconv idn inotify introspection ipv6 jpeg lame lastfm lcms libnotify libsecret mad mmx mmxext mng modules mp3 mp4 mpeg multilib nautilus ncurses networkmanager nls nptl offensive ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio readline realmedia samba schroedinger sdl sendto session smartcard socialweb spell sse sse2 ssl startup-notification svg syslog systemd tcpd telepathy theora tiff tracker truetype udev udisks unicode upower usb v4l v4l2 vim-syntax vorbis vpx webm wmp wxwidgets x264 xcb xinerama xml xv xvid zeitgeist zeroconf zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 i386" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 3 Martin Wegner 2014-02-21 11:46:30 UTC 
Created attachment 370954 [details]
NetworkManager config of failing wireless LAN

As found in the file /etc/NetworkManager/system-connections/eduroam, sensible values redacted.
Comment 4 Martin Wegner 2014-02-21 11:47:27 UTC 
Created attachment 370956 [details]
Log file of failed connection attempt.

Log of a failed connection attempt, obtained via:

$ journalctl -f _SYSTEMD_UNIT=wpa_supplicant.service _SYSTEMD_UNIT=NetworkManager.service
Comment 5 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-02-21 14:30:59 UTC 
Looks like a bug in wpa_supplicant - could you try and take it to the hostap mailinglist - they can help you alot better than we can here, since they are the developers of wpa_supplicant?

You can find the mailinglist here: http://lists.shmoo.com/mailman/listinfo/hostap
Comment 6 Olivier Huber 2014-02-24 16:26:22 UTC 
(In reply to Bjarke Istrup Pedersen from comment #5)
> Looks like a bug in wpa_supplicant - could you try and take it to the hostap
> mailinglist - they can help you alot better than we can here, since they are
> the developers of wpa_supplicant?
> 
> You can find the mailinglist here:
> http://lists.shmoo.com/mailman/listinfo/hostap

It has already been fixed in upstream git. Quick link to the patch:
http://hostap.epitest.fi/cgit/hostap/patch/src/crypto/tls_openssl.c?id=b62d5b5450101676a0c05691b4bcd94e11426397

I successfully tested it on an eduroam network.

For more info, there is also this thread http://patchwork.ozlabs.org/patch/320617/
Comment 7 James Cline 2014-02-24 22:25:42 UTC 
Created attachment 371194 [details]
Hacked ebuild to use their git repo

I used Olivier's info to hack together this ebuild to use that sha. I am able to connect with it.
Comment 8 James Cline 2014-02-24 22:28:30 UTC 
I should also note that my hacked ebuild probably doesn't work for all USE flags. I only tested the ones I use.
Comment 9 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-02-25 07:54:18 UTC 
Fixed in 2.1-r1 , thanks for reporting and finding the right commit needed.
Comment 10 Eduard Bachmakov 2014-02-25 14:20:15 UTC 
*** Bug 501934 has been marked as a duplicate of this bug. ***