[pkg-wpa-devel] Bug#579297: Bug#579297: wpasupplicant: Recompiling with gnutls fixes (or workarounds) the problem

Fri Nov 2 23:33:50 UTC 2012

Control: forcemerge 668612 -1

Hi

On Friday 02 November 2012, Klaus Knopper wrote:
> Package: wpasupplicant
> Version: 1.0-3
> Severity: normal
> 
> 
> In an eduroam environment (which is basically WPA-Enterprise), I can
> confirm disconnects without the possibility to reconnect when using
> wpa_supplicant wit network-manager. Killing and restarting
> wpa_supplicant allows a temporary reconnect.

This is
	http://w1.fi/bugz/show_bug.cgi?id=447
respectively
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668612
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561081
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574714
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579297
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667706

> When researching the problem, I found this posting:
> https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/429370/comments/19
> 
> It states that the problem may be actually an openssl bug which lets the rekeying
> process fail permamently, and recommended recompiling with gnutls instead of
> openssl. I did this:
[…]

The problem with this suggestion and the according patch, is that it 
switches from one (known) set of bugs to another (unknown) one. While
linking to gnutls is supported upstream, none of the major 
distributions (not even Ubuntu) actually does so, which makes it pretty
much untested in practice. Even if we wanted to switch to gnutls, doing
so simply isn't possible at this stage of Debian's release process and 
in freeze*.

*)	However technically speaking, we can't switch to gnutls anytime 
	soon, because gnutls doesn't provide an udeb, which is needed for 
	using wpa_supplicant by the Debian installer (d-i). While your 
	package build against gnutls succeeded, you have most likely ended 
	with an unsatisfiable (in the d-i/ udeb context) dependency on 
	libgnutls26-udeb for wpasupplicant-udeb_*.udeb (dpkg-gensymbols 
	employs very crude heuristics to construct the dependencies for 
	udeb packages without actually having access to a udeb context).

[…]
> and have been testing the modified package for about a month now, the
> frequent disconnects have completely disappeared.
> 
> The right place for a real fix would probably be openssl, but the
> problem does not seem to be addressed or sufficiently researched there,
> so the workaround by using gnutls instead of openssl gnutls seems to be
> the best option for now.
[…]

At this moment it is not obvious to me if wpa_supplicant is broken, or 
if some popular commercial wlan installations used for eduroam 
institutions are to blame. While, given the ubiquity and prevalence of 
this issue in academic environments, it might be possible that 
wpa_supplicant may need to work around the problem, however this would 
best be fixed at wpa_supplicant's upstream. Unfortunately none of the 
current wpa maintainers for Debian has access to an affected wlan setup
in order to try to reproduce the problem, nor has enough information to
recreate an affected EAP/ PAP setup for debugging, which significantly
reduces our abilities to help. Therefore it's probably best to engage
with wpa_supplicant upstream to get this fixed once and for all.

Regards
	Stefan Lippers-Hollmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20121103/1cae7a90/attachment.pgp>