EAP-TLS TLSv1.0/1.1 regression after T5003
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	chenxiaolong
	Apr 9 2023, 4:41 PM

Description

After T5003, wpa_supplicant can no longer connect to legacy networks that use TLSv1.0/1.1. This differs from vanilla Debian 12 behavior and breaks compatibility with some ISPs' (crappy) fiber ONTs that unfortunately will likely never be upgraded to use secure crypto.

The regression is caused by the following changes:

Debian 12 upgraded openssl to 3.0, which no longer allows legacy renegotiation by default (SSL_OP_LEGACY_SERVER_CONNECT flag). Debian's wpa_supplicant includes allow-legacy-renegotiation.patch, which we can add to VyOS' custom wpa_supplicant package since it applies cleanly.
VyOS' wpa_supplicant was upgraded to a newer git commit (6b9c86466), which is not fully compatible with Debian's allow-tlsv1.patch for allowing TLSv1 by default. As a result, wpa_supplicant only respects the system-wide openssl crypto policy, which disables TLSv1. This can be fixed by adding tls_disable_tlsv1_0=0 to the phase1 config in wpa_supplicant.conf, which is documented to have higher priority than the system crypto policy.

With these two fixes implemented, the behavior in VyOS matches vanilla Debian 12 (wpa_supplicant 2.10). I'll open a couple PRs to get these implemented.

Details

Difficulty level: Easy (less than an hour)
Version: 1.4-rolling-202304070317
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned Here: T5003: Upgrade base system to Debian 12 "Bookworm"

Event Timeline

chenxiaolong created this task.Apr 9 2023, 4:41 PM

Submitted PRs:

Closing as resolved because the PRs were merged (thanks for the quick review!)

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Apr 10 2023, 8:26 AM

It cannot pass the smoketest /usr/libexec/vyos/tests/smoke/cli/test_interfaces_wireless.py

06:48:28  DEBUG - test_wireless_access_point_bridge (__main__.WirelessInterfaceTest.test_wireless_access_point_bridge) ... FAIL
06:48:29  DEBUG - test_wireless_access_point_bridge (__main__.WirelessInterfaceTest.test_wireless_access_point_bridge) ... ERROR
06:48:30  DEBUG - test_wireless_add_single_ip_address (__main__.WirelessInterfaceTest.test_wireless_add_single_ip_address) ... ERROR
06:48:32  DEBUG - test_wireless_add_single_ip_address (__main__.WirelessInterfaceTest.test_wireless_add_single_ip_address) ... ERROR
06:48:33  DEBUG - test_wireless_hostapd_config (__main__.WirelessInterfaceTest.test_wireless_hostapd_config) ... FAIL
06:48:34  DEBUG - test_wireless_hostapd_config (__main__.WirelessInterfaceTest.test_wireless_hostapd_config) ... ERROR
06:48:37  DEBUG - test_wireless_hostapd_wpa_config (__main__.WirelessInterfaceTest.test_wireless_hostapd_wpa_config) ... FAIL
06:48:38  DEBUG - test_wireless_hostapd_wpa_config (__main__.WirelessInterfaceTest.test_wireless_hostapd_wpa_config) ... ERROR

If I'm not wrong it is after those changes.

pasik added a subscriber: pasik.Apr 10 2023, 1:24 PM

Thanks, I ran the ethernet smoke tests, but not the wireless ones. I'll investigate right away.

I found the issue. This was caused by bumping the debian packaging scripts from debian/2%2.10-10 to debian/2%2.10-12, which includes https://salsa.debian.org/debian/wpa/-/commit/d204ceb5a2dc33db888eb55b5fee542a1005e69c. This is not compatible with vyos because vyos uses a config path in /run.

I've submitted a PR to fix this here: https://github.com/vyos/vyos-build/pull/335

EDIT: Submitted a PR in vyos-1x instead because we would run into this issue again if we ever switched back to Debian's hostap package: https://github.com/vyos/vyos-1x/pull/1948

chenxiaolong closed this task as Resolved.Apr 10 2023, 8:46 PM

EAP-TLS TLSv1.0/1.1 regression after T5003Closed, ResolvedPublicBUGActions

Description

Details

Related Objects

Event Timeline

EAP-TLS TLSv1.0/1.1 regression after T5003
Closed, ResolvedPublicBUG
Actions