On Wed, Nov 20, 2024 at 11:38 AM Davide Caratti <dcaratti@xxxxxxxxxx> wrote:
hi,
On Wed, Nov 20, 2024 at 11:09 AM Clemens Lang <cllang@xxxxxxxxxx> wrote:
>
> Hi,
>
> > On 19. Nov 2024, at 17:47, Arthur Bols <arthur@xxxxxxxx> wrote:
> >
> > A few days ago pkcs11-provider-0.5-3.fc41 update was pushed to Fedora 41. Unfortunately, this update breaks eduroam and possibly many other WPA2-Enterprise wifi networks. There are multiple threads on Fedora Discussion, mainly [0], and a bug report [1].
> >
> > I understand that the maintainers implemented this change with the best intentions, however, could someone clarify why this provider was enabled so abruptly in this update? Wouldn’t such a change typically require a change proposal? Given how many users are affected, would it make sense to consider rolling back the update until there’s a fix?
>
> I think the bug can be fixed in wpa_supplicant, but until that happens, users should just uninstall pkcs11-provider.
>
> The idea here was to auto-enable pkcs11-provider when it is installed, which still makes sense to me. The issue here I think is that many people ended up with pkcs11-provider installed because of a recommendation. We should remove that recommendation, most users don’t need pcks11-provider installed.
I'm trying a setup right now, to understand what's happening.
wpa_supplicant does not need pkcs11-provider *at the moment*, because
it uses engine API for pkcs11 (and that is going to be a problem in
the future for EAP-TLS with pkcs11, if engine disappears from
openssl). However, it loads the legacy provider at startup, because
it's needed for MSCHAPv2 in the inner authentication.
Do you also load the default provider and/or set default fetching properties?
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue