[pkg-wpa-devel] Bug#668612: Bug#668612: wpasupplicant: ssl bad certificate

Stefan Lippers-Hollmann s.L-H at gmx.de
Tue May 15 20:58:16 UTC 2012 

Hi

On Tuesday 15 May 2012, Luis Fernando Llana Díaz wrote:
> Package: wpasupplicant
> Version: 0.7.3-6
> Severity: normal
> 
> Dear Maintainer,
>   I have just installed Debian Wheezy. So far, the only important thing
> that does not work is the Eduroam connection in my institution. It has
> always worked in the previous versions. This is the configuration file
> I have always used:

Please test wpasupplicant 1.0-2 from unstable (uploaded yesterday), 
which should install on wheezy without problems or further 
dependencies.

There seem to be longstanding problems with eduroam, unfortunately we
don't know if these are actually fixed in 1.0, if configuration changes
are required (client side), if there are 'just' wrongly encapsulated 
certificates or documentations provided by your university or if these
problems can be attributed to wpasupplicant or kernel driver problems.
The big problem here is that we unfortunately can't set up an 
equivalent server setup for testing, nor have access to the involved
wlans ourselves. So with all the potential problems around, there is
little support we can provide for these specific configurations, 
especially because many universities make it pretty hard to extract the
required certificates from their windows packages.

Therefore we require your assistance to debug these issues and to find
hints for fixing this (and no, switching one bucket of problems using 
OpenSSL with another, by using GNU TLS, is no solution either). With a
little luck, you may find advice from seasoned Linux using students, 
maybe you know success stories from different distributions, where we 
could check what they're doing differently. Eventually wpasupplicant 
upstream also has a few ideas, who is pretty familiar with lots of 
'weird' commercial setups.

The only roughly comparable wlan setup I have access to, uses this kind
of configuration:

network={
	ssid="<whatever>"
	key_mgmt=IEEE8021X
	eap=TTLS
	phase2="auth=PAP"
	identity="<some_username at looing.like.a.mail.address>
	password="<something_secret>"
	ca_cert="/path/to/a/real/cert.pem"
}

which does work fine, perhaps this may help you, although it doesn't 
look too similar.

Regards
	Stefan Lippers-Hollmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20120515/a49eab80/attachment.pgp>

More information about the Pkg-wpa-devel mailing list