Re: Getting TLS-related information about a PEAP connection from wpa_supplicant

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jouni Malinen <j@xxxxx> writes:

> On Sun, Nov 26, 2023 at 10:52:54AM +0100, Arsen Arsenović wrote:
>> I'm trying to debug a connection failure from some systems onto our
>> PEAP-connected network.
>> 
>> I've identified that the cause of the issue is that OpenSSL 3, present
>> some of the systems that fail to connect, has a higher default SECLEVEL
>> and/or minimum protocol version than previous versions.
>> 
>> I have reason to suspect that our PEAP infrastructure uses severely
>> outdated TLS, and so that OpenSSL is acting correctly, and would like to
>> confirm this suspicion and submit an analysis and request to upgrade to
>> our network administrators.
>> 
>> Can I fetch information about the PEAP TLS session (TLS version, ciphers
>> in use, ...) from wpa_supplicant?
>
> It is unfortunately very common for deployed RADIUS authentication
> servers to use old (and in many cases, _really_ old) TLS implementations
> and protocol features.. While the best way to address this would be to
> update the authentication server, that is not always practical for the
> users of the network to get done and as such, wpa_supplicant does allow
> SELEVEL to be dropped as a workaround with the openssl_ciphers
> configuration parameter.

I've recovered the following logs from a failed connect attempt:

  OpenSSL: RX ver=0x301 content_type=256 (TLS header info/)
  OpenSSL: Message - hexdump(len=5): [REMOVED]
  SSL: (where=0x1001 ret=0x1)
  SSL: SSL_connect:SSLv3/TLS write client hello
  OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello)
  OpenSSL: Message - hexdump(len=81): [REMOVED]
  OpenSSL: Server selected cipher suite 0x2f
  OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
  OpenSSL: Message - hexdump(len=5): [REMOVED]
  OpenSSL: TX ver=0x303 content_type=21 (alert/)
  OpenSSL: Message - hexdump(len=2): [REMOVED]
  SSL: (where=0x4008 ret=0x246)
  SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
  EAP: Status notification: local TLS alert (param=protocol version)
  SSL: (where=0x1002 ret=0xffffffff)
  SSL: SSL_connect:error in error
  OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
  SSL: 7 bytes pending from ssl_out
  SSL: Using TLS version TLSv1.2
  SSL: Failed - tls_out available to report error (len=7)

... which would mean TLSv1.2 is used, I believe.  I suspect the
ciphersuites are too old.

> The easiest way to get comprehensive information from from failed PEAP
> authentication attempts is using the stdout debug facility by adding -dd
> on the wpa_supplicant command line. That might be doable with
> distribution specific mechanisms in some other ways as well by
> configuring debug verbosity to MSGDUMP (or even DEBUG would likely be
> sufficient for most needs) and record debug log into the system log
> files.

Indeed, I did that for the above.  Thanks.

Have a lovely day.
-- 
Arsen Arsenović

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux