[pkg-wpa-devel] Bug#579297: wpasupplicant: Recompiling with gnutls fixes (or workarounds) the problem

Klaus Knopper bugs at knopper.net
Fri Nov 2 13:54:44 UTC 2012 

Package: wpasupplicant
Version: 1.0-3
Severity: normal


In an eduroam environment (which is basically WPA-Enterprise), I can
confirm disconnects without the possibility to reconnect when using
wpa_supplicant wit network-manager. Killing and restarting
wpa_supplicant allows a temporary reconnect.

When researching the problem, I found this posting:
https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/429370/comments/19

It states that the problem may be actually an openssl bug which lets the rekeying
process fail permamently, and recommended recompiling with gnutls instead of
openssl. I did this:

--- wpa-1.0/debian/config/wpasupplicant/linux	2012-10-16 21:54:27.000000000 +0200
+++ wpa-1.0-gnutls/debian/config/wpasupplicant/linux	2012-10-16 23:03:41.000000000 +0200
@@ -166,8 +166,8 @@
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 CONFIG_EAP_PSK=y
 
-# EAP-pwd (secure authentication using only a password)
-CONFIG_EAP_PWD=y
+# EAP-pwd (secure authentication using only a password), requires openssl, currently does not work with gnutls
+# CONFIG_EAP_PWD=y
 
 # EAP-PAX
 CONFIG_EAP_PAX=y
@@ -327,7 +327,7 @@
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # none = Empty template
-CONFIG_TLS=openssl
+CONFIG_TLS=gnutls
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers

(end of patch)

and have been testing the modified package for about a month now, the
frequent disconnects have completely disappeared.

The right place for a real fix would probably be openssl, but the
problem does not seem to be addressed or sufficiently researched there,
so the workaround by using gnutls instead of openssl gnutls seems to be
the best option for now.

Please note that my system information below reflects the modified
package with gnutls instead of openssl.

Regards
-Klaus

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.6.5 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wpasupplicant depends on:
ii  adduser                   3.112+nmu2     add and remove users and groups
ii  initscripts               2.88dsf-13.13  scripts for initializing and shutt
ii  libc6                     2.13-33        Embedded GNU C Library: Shared lib
ii  libdbus-1-3               1.6.8-1        simple interprocess messaging syst
ii  libgcrypt11               1.5.0-3        LGPL Crypto library - runtime libr
ii  libgnutls26               2.12.20-1      GNU TLS library - runtime library
ii  libgpg-error0             1.10-3         library for common error values an
ii  libncurses5               5.7+20100313-5 shared libraries for terminal hand
ii  libnl-3-200               3.2.7-4        library for dealing with netlink s
ii  libnl-genl-3-200          3.2.7-4        library for dealing with netlink s
ii  libreadline5              5.2-12         GNU readline and history libraries
ii  lsb-base                  4.1+Debian7    Linux Standard Base 4.1 init scrip

wpasupplicant recommends no packages.

More information about the Pkg-wpa-devel mailing list