View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0007441CentOS-7opensslpublic2014-07-29 13:492014-11-13 10:24
Reportermartin.sourada Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.0-1406 
Summary0007441: Cannot authenticate to local dormitory network
DescriptionI cannot authenticate to my dorm network using openssl shipped with centos. Rebuilding and installing openssl from Fedora 20 solved the issue. It's wired connection, using IEEE8021X security, authentication via TTLS, PAP.

The error that happens can be found in /var/log/wpa_supplicant.log. Happens when both trying to connect manually and via NetworkManager.

Successfully initialized wpa_supplicant
enp1s0f0: Associated with 01:80:c2:00:00:03
enp1s0f0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
enp1s0f0: CTRL-EVENT-EAP-STARTED EAP authentication started
enp1s0f0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
enp1s0f0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
enp1s0f0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
enp1s0f0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CZ/ST=Czech Republic/L=Prague/O=Sisal MFF UK/CN=VPN SISAL'
TLS: Certificate verification failed, error 7 (certificate signature failure) depth 0 for '/C=CZ/ST=Czech Republic/O=Sisal MFF UK/CN=spider.kolej.mff.cuni.cz'
enp1s0f0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=CZ/ST=Czech Republic/O=Sisal MFF UK/CN=spider.kolej.mff.cuni.cz' err='certificate signature failure'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
OpenSSL: openssl_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Steps To ReproduceExample configuration:
http://www.kolej.mff.cuni.cz/faq/data/connect/wpa_supplicant2.conf

Root certificate:
http://www.kolej.mff.cuni.cz/faq/data/connect/cacert.pem
Additional InformationBroken openssl:
openssl-1.0.1e-34.el7_0.3.x86_64

Working openssl:
openssl-1.0.1e-38.f20.x86_64
TagsNo tags attached.
abrt_hash
URL

Activities

avij

avij

2014-07-29 16:26

updater   ~0020546

$ openssl x509 -in cacert.pem -text -noout
...
Signature Algorithm: md5WithRSAEncryption

The openssl of CentOS is not 'broken', it just refuses to accept certificates with an insecure signature algorithm (md5). sha1WithRSAEncryption would probably work better. Please encourage your network admin to update the certificate, and to use a more secure signature algorithm.
hkwi

hkwi

2014-11-07 10:24

reporter   ~0021582

Quick workaround for this is setting some environment variables as following:

OPENSSL_ENABLE_MD5_VERIFY=1
NSS_HASH_ALG_SUPPORT=+MD5
martin.sourada

martin.sourada

2014-11-13 10:24

reporter   ~0021661

Thanks both of you, just the other day the network root certificate was updated and works with CentOS 7 out of the box. I think it's OK to close the bug?

Issue History

Date Modified Username Field Change
2014-07-29 13:49 martin.sourada New Issue
2014-07-29 16:26 avij Note Added: 0020546
2014-11-07 10:24 hkwi Note Added: 0021582
2014-11-13 10:24 martin.sourada Note Added: 0021661