Cannot connect to wpa enterprise network

leop · November 1, 2022, 5:43pm

Hello! I can;t seem to connect to a WPA enterprise network with nixos (not unstable)
There’s a related ubuntu bug report which has the same issue: Bug #1958267 “wpa can't connect to servers using TLS 1.1 or olde...” : Bugs : wpa package : Ubuntu

can’t find how I’m supposed to use this on NixOS.
I have tried to use environment.etc but it doesn’t work.

Relevant error from wpa_supplicant:
OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled

The live ISO works though, it’s very strange.
Thanks!

rnhmjoj · November 1, 2022, 6:19pm

You’re not providing enough information:

what kind of WPA enterprise? (EAP, PEAP, …)
what are you trying for connecting? (running wpa_cli, configuring wpa_supplicant with networking.wireless, directly running wpa_supplicant, …)
what does “the live ISO works” mean?

leop · November 2, 2022, 12:42am

I am using PEAP, MSCHAPv2 inner.
I am using networkmanager with wpa supplicant backend.

Also, looks like I was using unstable, which is my bad. It works with stable (22.05) but I’m worried whatever was changed will break again when 22.11 releases.

rnhmjoj · November 2, 2022, 11:06am

Uhm, I’m not familiar with NetworkManager but it could be very easily an issue with wpa_supplicant.

To rule it out, can you try connecting following the steps described here with wpa_cli (and not nmcli or equivalent).

TLATER · November 2, 2022, 2:31pm

It probably will! Looking at that bug report this is caused by wpa_supplicant being built with openssl 3+, which marks TLS 1.1 as insecure for good reasons (mainly its use of insecure hashing algorithms). Unstable has switched to openssl 3, and 22.11 will most likely be using that too.

The correct thing to do is to upgrade whatever router you’re trying to connect to, that thing is a hazard.

Alternatively, if you have no control over this, you can either:

Explicitly enable tlsv1.1?
- Not sure this will work, because it presumably doesn’t override the openssl cipher, but who knows
Downgrade the security level for wpa_supplicant (apparently that’s openssl_ciphers=DEFAULT@SECLEVEL=0 in your config for the network).
- networkmanager does not support passing this configuration apparently, but maybe you can find something. I’ve always just stuck to wpa_supplicant personally, it’s much simpler.
Downgrade the version of openssl wpa_supplicant is built with by overriding it with openssl_1_1
- Probably the worst option security-wise, and probably won’t stick long-term?

leop · November 2, 2022, 3:01pm

I will try that, thanks! I need to disable networkmanager in the config and enable plain wpa right?

rnhmjoj · November 2, 2022, 3:29pm

Yes, you could try by disabling NetworkManager, enabling wpa_supplicant and adding the network via networking.wireless.networks or manually through wpa_cli.

If you don’t want to mess with your configuration you could also use the minimal installer, which is already configured like this.

leop · November 2, 2022, 4:11pm

I tried adding the cipher and enabling tlsv1.1, no success. Maybe I should look at debian’s patches into wpa_supplicant?
But yeah, both of the first 2 don’t work and I’m wondering if I really want to downgrade openssl to 1.1

leop · November 2, 2022, 4:27pm

I also tried the patch that Ubuntu put into their wpa package, it does not seem to work. This is pretty frustrating…

TLATER · November 2, 2022, 5:09pm

Dug a bit further, that ubuntu bug is just a different, but unrelated breakage caused by openssl updates.

I think yours is the one described in this blog post, which actually covers NixOS: eduroam, OpenSSL 3, and wpa_supplicant - k = 1 cat - Jim Fowler

I’ve looked around for a pure configuration setting, but I think that patch is much easier to do. You’d apparently have to create a separate openssl config file.

Networkmanager should continue to work if you use that patch, too. But I’d definitely suggest asking whoever maintains this network to look at updating their infrastructure in the long run.

leop · November 2, 2022, 5:25pm

Thank you so much! That worked perfectly. And the infrastructure belongs to LAUSD, so not likely, but I will ask.

ebi-droid · January 23, 2023, 4:24pm

Hi

I followed the link and managed to add a patch to wpa_supplicant but I still cant get authorized in my office network. Did you adjusted anything in your system? Did you create a new openssl confi file?

l0b0 · February 6, 2024, 11:00pm

I also tried the patch without success, but a different solution worked for me:

systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" ''
  openssl_conf = openssl_init
  [openssl_init]
  ssl_conf = ssl_sect
  [ssl_sect]
  system_default = system_default_sect
  [system_default_sect]
  Options = UnsafeLegacyRenegotiation
  [system_default_sect]
  CipherString = Default:@SECLEVEL=0
'';