Security

Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

Some background:
https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
I haven't yet found any information related to this issue after a look around the community here and web search.
We've raised it with our SE to see what he can find out for us.

------------------------------
Scott Bertilson
------------------------------

One of my power-users just reported the same issue.  PCAP shows that the client sends a Handshake Failure immediately after receiving the clearpass server's radius certificate.

Log from the client:
deauthenticated from <BSSID Here> (Reason: 23=IEEE8021X_FAILED)

Log from ClearPass:
EAP-PEAP: fatal alert by client - handshake_failure
TLS Handshake failed in SSL_read with error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
eap-tls: Error in establishing TLS session

This is due to a long-coming change in OpenSSL that removed what they consider to be legacy support.
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834

I expect that this will affect other OSes that also use OpenSSL as they get updated.

------------------------------
Bryan Ward
------------------------------

Original Message:
Sent: Apr 29, 2022 05:17 PM
From: Scott Bertilson
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

Some background:
https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
I haven't yet found any information related to this issue after a look around the community here and web search.
We've raised it with our SE to see what he can find out for us.

------------------------------
Scott Bertilson
------------------------------

This is documented as a known issue in 6.10.5 release notes. Fix is in progress, not ETA yet.



------------------------------
Mathew George
------------------------------

Original Message:
Sent: May 05, 2022 01:50 PM
From: Bryan Ward
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

One of my power-users just reported the same issue.  PCAP shows that the client sends a Handshake Failure immediately after receiving the clearpass server's radius certificate.

Log from the client:
deauthenticated from <BSSID Here> (Reason: 23=IEEE8021X_FAILED)

Log from ClearPass:
EAP-PEAP: fatal alert by client - handshake_failure
TLS Handshake failed in SSL_read with error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
eap-tls: Error in establishing TLS session

This is due to a long-coming change in OpenSSL that removed what they consider to be legacy support.
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834

I expect that this will affect other OSes that also use OpenSSL as they get updated.

------------------------------
Bryan Ward

Original Message:
Sent: Apr 29, 2022 05:17 PM
From: Scott Bertilson
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

Some background:
https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
I haven't yet found any information related to this issue after a look around the community here and web search.
We've raised it with our SE to see what he can find out for us.

------------------------------
Scott Bertilson
------------------------------

We've encountered this issue as well. There's a good summary here: https://lists.infradead.org/pipermail/hostap/2022-May/040511.html

There's a viable workaround to fork the config for /etc/wpa_supplicant/openssl.cnf: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267/comments/22
But this is updating a systemd service file for wpa_supplicant and will be overwritten by updates, so it's not a long-term fix.

We're waiting to see if the wpa_supplicant gets updated to revert the change, but it would be good to know if Aruba and ClearPass are looking at this.

------------------------------
CELERY MAN
------------------------------

Original Message:
Sent: Apr 29, 2022 05:17 PM
From: Scott Bertilson
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

Some background:
https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
I haven't yet found any information related to this issue after a look around the community here and web search.
We've raised it with our SE to see what he can find out for us.

------------------------------
Scott Bertilson
------------------------------

Looks like it's resolved in 6.10.6. Phew!

We had this hit us with a RHEL 9 client and we'll be applying this patch soon.

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.10.x/Default.htm#ReleaseNotes/Resolved/Resolved-6.10.6.htm?TocPath=Resolved%2520Issues%2520in%2520ClearPass%25206.10.x%257C_____2

Original Message:
Sent: May 05, 2022 02:58 PM
From: CELERY MAN
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

We've encountered this issue as well. There's a good summary here: https://lists.infradead.org/pipermail/hostap/2022-May/040511.html

There's a viable workaround to fork the config for /etc/wpa_supplicant/openssl.cnf: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267/comments/22
But this is updating a systemd service file for wpa_supplicant and will be overwritten by updates, so it's not a long-term fix.

We're waiting to see if the wpa_supplicant gets updated to revert the change, but it would be good to know if Aruba and ClearPass are looking at this.

------------------------------
CELERY MAN

Original Message:
Sent: Apr 29, 2022 05:17 PM
From: Scott Bertilson
Subject: problems with Ubuntu 22.04 connecting using EAP (related to TLS vulnerability addressed by RFC 5746)

Wondering if others have run into this issue which, from what I can tell, isn't an OpenSSL issue, but is just now being seen because recently OpenSSL has addressed a MITM vulnerability with "unsafe legacy renegotiation" in TLS.

Some background:
https://www.ethohampton.com/2022/04/ubuntu-2204-legacy-wifi-authentication/
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
I haven't yet found any information related to this issue after a look around the community here and web search.
We've raised it with our SE to see what he can find out for us.

------------------------------
Scott Bertilson
------------------------------