Hi All, I'm having issues with trying to use wired 802.1x using EAP - TLS on a FIPS enabled Ubuntu 22.04 machine. The radius server for authentication is using cert based authentiation. The Radius Server is using high level ciphers and forcing TLS 1.2 This configuration works when the machine does not have fips enabled (openssl fips). Enabling FIPS, which installs a FIPS validated openssl,resulted in the issue of Ubuntu 22.04 packaged wpa_supplicant with the following issue: wpa_supplicant[19782]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error wpa_supplicant[19782]: OpenSSL: openssl_handshake - SSL_connect error:1C800073:Provider routines::invalid data wpa_supplicant[19782]: OpenSSL: pending error: error:0A0C0103:SSL routines::internal error I believe the cause is wpa supplicant us trying to unsafe ciphers in initial handshake. This led me to try to build wpa_supplicant with the configuration flag of CONFIG_FIPS=y I can get this to build as I just need 802.1x and EAP TLS for my needs. However, when I try using the FIPS configured wpa_supplicant, I get an exception code. Resulting in the following: wpa_supplicant -D wired -B -i eno1 -dd -c wpa-eno1.conf Add interface eno1 to a new radio N/A eno1: Own MAC address: 70:5a:0f:43:7c:eb eno1: RSN: flushing PMKID list in the driver eno1: Setting scan request: 0.100000 sec TDLS: TDLS operation not supported by driver TDLS: Driver uses internal link setup TDLS: Driver does not support TDLS channel switching eno1: WPS: UUID based on MAC address: 0487e092-9670-5840-809d-2f1d906636f7 FIPS mode requested, but not supported SSL: Failed to initialize TLS context. Failed to initialize EAPOL state machines. Failed to add interface eno1 eno1: Request to deauthenticate - bssid=00:00:00:00:00:00 pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) state=DISCONNECTED valid_links=0x0 ap_mld_addr=00:00:00:00:00:00 TDLS: Tear down peers eno1: State: DISCONNECTED -> DISCONNECTED QM: Clear all active DSCP policies eno1: CTRL-EVENT-DSCP-POLICY clear_all eno1: WPA: Clear old PMK and PTK eno1: Cancelling scan request eno1: Cancelling authentication timeout Off-channel: Clear pending Action frame TX (pending_action_tx=(nil) Off-channel: Action frame sequence done notification: pending_action_tx=(nil) drv_offchan_tx=0 action_tx_wait_time=0 off_channel_freq=0 roc_waiting_drv_freq=0 QM: Clear all active DSCP policies eno1: CTRL-EVENT-DSCP-POLICY clear_all Remove interface eno1 from radio Remove radio Any suggestions to get it to work in FIPS mode? I've tried taking the debian config and trying to build as similar as I can. Thanks! -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.* _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
