Cannot connect to eduroam on F36 due to openssl error

I cannot connect to eduroam on F36. Based on the logs, it seems to be because of an openssl error.

wpa_supplicant[1063]: wlp0s20f3: Associated with 7c:0e:ce:47:f5:3f
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
kernel: wlp0s20f3: Limiting TX power to 14 dBm as advertised by 7c:0e:ce:47:f5:3f
wpa_supplicant[1063]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[1063]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wpa_supplicant[1063]: wlp0s20f3: Authentication with 7c:0e:ce:47:f5:3f timed out.
kernel: wlp0s20f3: deauthenticating from 7c:0e:ce:47:f5:3f by local choice (Reason: 3=DEAUTH_LEAVING)
wpa_supplicant[1063]: BSSID 7c:0e:ce:47:f5:3f ignore list count incremented to 3, ignoring for 60 seconds
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid=7c:0e:ce:47:f5:3f reason=3 locally_generated=1
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=23 reason=AUTH_FAILED
wpa_supplicant[1063]: BSSID 7c:0e:ce:47:f5:3f ignore list count incremented to 4, ignoring for 120 seconds
wpa_supplicant[1063]: wlp0s20f3: CTRL-EVENT-DSCP-POLICY clear_all

I found another thread, but the resolution proposed there doesn’t work for me. Looking carefully, I get a different error:

wpa_supplicant[1063]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[1063]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol

I searched a bit, but didn’t get anywhere.

I also came across this RH blog, and found the corresponding option in man openssl.cnf and added the following:

[ alg_section ]

rh-allow-sha1-signatures

That didn’t work either. Did I misunderstand something? Is the alg_section a place holder for a section name, not literal?

this is indeed a different error to the one we debugged before.

I’ve posted on the devel mailing list now, so hopefully someone with enough OpenSSL knowledge will be able to help:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3P2WVSWW5BJEG4T2STRQPCLZWMTF4KIY/

Thanks @ankursinha !

This likely happens because your EAP server only supports old versions of SSL or TLS.

The blog post is a good starting point, except I’m unsure why you came to the conclusion that setting rh-allow-sha1-signatures explicitly was the correct answer.

Chances are your EAP server does not support TLS 1.2, which is required by the DEFAULT crypto-policy on Fedora (see here: policies/DEFAULT.pol · dfb10eac929780d02a368dc0fe6ebddddd2b4009 · redhat-crypto / fedora-crypto-policies · GitLab). Have you tried setting the crypto-policy to LEGACY using update-crypto-policies --set LEGACY? That should enable TLS >= 1.0 (see policies/LEGACY.pol · dfb10eac929780d02a368dc0fe6ebddddd2b4009 · redhat-crypto / fedora-crypto-policies · GitLab). (NB: URLs aren’t links because new users can only post a single link per post.)

Incidentally, switching the crypto-policy to LEGACY will also correctly add rh-allow-sha1-signatures to /etc/crypto-policies/back-ends/opensslcnf.config. Specifically, alg_section refers to the configuration value in the section named by openssl_conf that contains the name of the section that can contain rh-allow-sha1-signatures. That’s confusing, so here’s an example:

openssl_conf = openssl_init

[openssl_init]
alg_section = evp_properties

[evp_properties]
rh-allow-sha1-signatures = yes

Note that the default value of rh-allow-sha1-signatures is yes on Fedora. See Commit - rpms/openssl - 2fdd24a7245144606e3f3ddd67e64225be741324 - src.fedoraproject.org and its commit mesage.

If this isn’t solved by switching to the LEGACY crypto policy, I either misidentified the root cause, or your EAP server requires SSLv3. In any case, you should ask your university’s IT department to support modern TLS on their EAP server.

Thanks very much @clang (I’ve also edited your posts to make the links work). @fatka please let us know if this works for you or not.

Thanks @clang @ankursinha. Unfortunately, I’m a visitor at the University, and I will be back on location a few weeks from now. But I have other eduroam locations near me, I’ll check there this week. That way I can isolate whether it’s this one university, or if the issue is more common.

Sorry for getting back so late. I couldn’t get back on location until now. I tried setting the crypto policy to legacy:

# update-crypto-policies --show 
LEGACY
# update-crypto-policies --check 
The configured policy matches the generated policy
# update-crypto-policies --is-applied
The configured policy is applied

After setting the policy, I also restarted NetworkManager using systemctl. However I still get the above issue. For now I have been connecting my Android phone to eduroam, and using USB tethering.

Sorry it took me a while, updating the crypto policy actually fixed the problem for me, I just had to reboot. This also helped another colleague who was having the same problem! Thanks again

Thanks for the feedback. You should talk to the IT department of the university and let them know they should upgrade their RADIUS server to support TLS 1.2 or newer.