View Issue Details

IDProjectCategoryView StatusLast Update
0007441CentOS-7opensslpublic2014-11-13 10:24
Reportermartin.sourada Assigned To 
Status newResolutionopen 
Product Version7.0-1406 
Summary0007441: Cannot authenticate to local dormitory network
DescriptionI cannot authenticate to my dorm network using openssl shipped with centos. Rebuilding and installing openssl from Fedora 20 solved the issue. It's wired connection, using IEEE8021X security, authentication via TTLS, PAP.

The error that happens can be found in /var/log/wpa_supplicant.log. Happens when both trying to connect manually and via NetworkManager.

Successfully initialized wpa_supplicant
enp1s0f0: Associated with 01:80:c2:00:00:03
enp1s0f0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
enp1s0f0: CTRL-EVENT-EAP-STARTED EAP authentication started
enp1s0f0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
enp1s0f0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
enp1s0f0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
enp1s0f0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CZ/ST=Czech Republic/L=Prague/O=Sisal MFF UK/CN=VPN SISAL'
TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=CZ/ST=Czech Republic/O=Sisal MFF UK/'
enp1s0f0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=CZ/ST=Czech Republic/O=Sisal MFF UK/' err='certificate signature failure'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
OpenSSL: openssl_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Steps To ReproduceExample configuration:

Root certificate:
Additional InformationBroken openssl:

Working openssl:
TagsNo tags attached.




2014-07-29 16:26

updater   ~0020546

$ openssl x509 -in cacert.pem -text -noout
Signature Algorithm: md5WithRSAEncryption

The openssl of CentOS is not 'broken', it just refuses to accept certificates with an insecure signature algorithm (md5). sha1WithRSAEncryption would probably work better. Please encourage your network admin to update the certificate, and to use a more secure signature algorithm.


2014-11-07 10:24

reporter   ~0021582

Quick workaround for this is setting some environment variables as following:



2014-11-13 10:24

reporter   ~0021661

Thanks both of you, just the other day the network root certificate was updated and works with CentOS 7 out of the box. I think it's OK to close the bug?

Issue History

Date Modified Username Field Change
2014-07-29 13:49 martin.sourada New Issue
2014-07-29 16:26 avij Note Added: 0020546
2014-11-07 10:24 hkwi Note Added: 0021582
2014-11-13 10:24 martin.sourada Note Added: 0021661