Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

This thread has been viewed 38 times
  • 1.  problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

    Posted Apr 29, 2022 05:18 PM
    Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

    Some background:
    https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
    https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
    I haven't yet found any information related to this issue after a look around the community here and web search.
    We've raised it with our SE to see what he can find out for us.

    ------------------------------
    Scott Bertilson
    ------------------------------


  • 2.  RE: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

    Posted May 05, 2022 01:51 PM
    One of my power-users just reported the same issue.  PCAP shows that the client sends a Handshake Failure immediately after receiving the clearpass server's radius certificate.

    Log from the client:
    deauthenticated from <BSSID Here> (Reason: 23=IEEE8021X_FAILED)

    Log from ClearPass:
    EAP-PEAP: fatal alert by client - handshake_failure
    TLS Handshake failed in SSL_read with error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
    eap-tls: Error in establishing TLS session

    This is due to a long-coming change in OpenSSL that removed what they consider to be legacy support.
    https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834

    I expect that this will affect other OSes that also use OpenSSL as they get updated.

    ------------------------------
    Bryan Ward
    ------------------------------



  • 3.  RE: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

    EMPLOYEE
    Posted May 06, 2022 02:19 AM
    This is documented as a known issue in 6.10.5 release notes. Fix is in progress, not ETA yet.



    ------------------------------
    Mathew George
    ------------------------------



  • 4.  RE: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

    Posted May 09, 2022 12:32 PM
    We've encountered this issue as well. There's a good summary here: https://lists.infradead.org/pipermail/hostap/2022-May/040511.html

    There's a viable workaround to fork the config for /etc/wpa_supplicant/openssl.cnf: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267/comments/22
    But this is updating a systemd service file for wpa_supplicant and will be overwritten by updates, so it's not a long-term fix.

    We're waiting to see if the wpa_supplicant gets updated to revert the change, but it would be good to know if Aruba and ClearPass are looking at this.

    ------------------------------
    CELERY MAN
    ------------------------------