[SOLVED] CA certificate key too weak

[SOLVED] CA certificate key too weak

Postby hank » Oct 26th, '20, 09:34

Our institution uses wifi eduroam network with login via certificates (Radius server). It was working fine. But suddenly I cannot connect anymore.

rsyslog reports from wpa_supplicant 'err= CA certificate key too weak'

The CA certificate according
Code: Select all
keytool -printcert -file root.pem
...
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
...


How to switch to a lower security policy? I tried
Code: Select all
update-crypto-policies --set NEXT

and restart but it did not help.

OS: MGA 7.1 64 bit Plasma
To connect I tried both nm-applet and plasma-applet-nm.

Thanks for any advice.
Last edited by hank on Oct 29th, '20, 07:43, edited 1 time in total.
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: CA certificate key too weak

Postby doktor5000 » Oct 26th, '20, 17:57

Try again after
Code: Select all
update-crypto-policies --set LEGACY

AFAICT there is no "NEXT" setting, only default, legacy, future and FIPS

You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: CA certificate key too weak

Postby hank » Oct 29th, '20, 07:42

doktor5000 wrote:Try again after
Code: Select all
update-crypto-policies --set LEGACY


Thank you doktor5000. This command helped (after restart). Now it is working.

doktor5000 wrote:You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.

I did not applied this command. It was not necessary.

Once again thank you.
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: CA certificate key too weak

Postby doktor5000 » Oct 29th, '20, 17:31

hank wrote:Thank you doktor5000. This command helped (after restart). Now it is working.

Well, you should keep in mind that this severely downgrades the security baselevel for everything related to SSL and certificates.
It was mainly intended as a workaround to check if it helps at all.

hank wrote:
doktor5000 wrote:You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.

I did not applied this command. It was not necessary.

See above, this would be the proper way to fix this.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: CA certificate key too weak

Postby hank » Oct 30th, '20, 08:26

In /etc/sysconfig/wpa_supplicant is OTHER_ARGS="-s -c /etc/wpa_supplicant.conf" thus I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf. But (at update_crypto_policy DEFAULT) it did not solve the network connection issue.

I think I can keep the workaround solution (as you wrote): update_crypto_policy LEGACY.
Last edited by doktor5000 on Oct 30th, '20, 17:27, edited 1 time in total.
Reason: removed fullquote
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: CA certificate key too weak

Postby doktor5000 » Oct 30th, '20, 17:28

hank wrote:I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf.


Where did you place that ?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: CA certificate key too weak

Postby hank » Oct 31st, '20, 11:11

doktor5000 wrote:
hank wrote:I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf.


Where did you place that ?


As I wrote -- in /etc/wpa_supplicant.conf (somewhere at the beginning). I thought that networkmanager uses this config file beacuse in /etc/sysconfig/wpa_supplicant is
Code: Select all
...
OTHER_ARGS="-s -c /etc/wpa_supplicant.conf"
...


It was not the right place?
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: [SOLVED] CA certificate key too weak

Postby doktor5000 » Oct 31st, '20, 11:42

AFAICT it should be in the configuration stanza for your network, not in the global part.
Also have a look at the man page for wpa_supplicant https://linux.die.net/man/5/wpa_supplicant.conf and the example config file.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: [SOLVED] CA certificate key too weak

Postby hank » Nov 5th, '20, 08:15

As I understand the networkmanager saves wpa_supplicant configuration to /etc/sysconfig/network-scripts/ to a separate file for each network. It seems that these config files have a slightly different syntax compared to wpa_supplicant.conf, doesn't it? Thus I do not know how to add the required command.
Last edited by isadora on Nov 5th, '20, 14:47, edited 1 time in total.
Reason: Quoting the former message is not appropriate
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: [SOLVED] CA certificate key too weak

Postby doktor5000 » Nov 5th, '20, 18:22

If you are talking about the files below /etc/sysconfig/network-scripts/wireless.d/ then no, those are leftovers from net_applet / MCC and they are not used by networkmanager.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: [SOLVED] CA certificate key too weak

Postby hank » Nov 6th, '20, 11:50

doktor5000 wrote:If you are talking about the files below /etc/sysconfig/network-scripts/wireless.d/ then no, those are leftovers from net_applet / MCC and they are not used by networkmanager.


No, not in wireless.d folder. My networkmanager config for my eduroam network is in /etc/sysconfig/network-scripts/ifcfg-eduroam file:
Code: Select all
ESSID=eduroam
MODE=Managed
KEY_MGMT=WPA-EAP
MAC_ADDRESS_RANDOMIZATION=default
TYPE=Wireless
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=xuser@organization.com
IEEE_8021X_CA_CERT=/home/xuser/.cert/root.pem
IEEE_8021X_PRIVATE_KEY=/home/xuser/.cert/user-xuser.pem
IEEE_8021X_CLIENT_CERT=/home/xuser/.cert/user-xuser.pem
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PRIVACY=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eduroam
UUID=596cda5e-2a45-4855-99dd-9a8c5976cafc
ONBOOT=yes


I think that it is where nm saves setting for my eduroam connection. Thus I wanted to type tls_disable_tlsv1 command into this file. But it did not have any effect.
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25

Re: [SOLVED] CA certificate key too weak

Postby doktor5000 » Nov 6th, '20, 17:18

No, that's the classic ifcfg file which is only read via the rh-ifcfg plugin by networkmanager.
Networkmanager still uses the settings from /etc/wpa_supplicant.conf depending on what you selected how it should store your password.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 16127
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: [SOLVED] CA certificate key too weak

Postby hank » Nov 16th, '20, 11:56

Sorry for my delayed response.

I tried to add the "tls_disable_tlsv1_0=0" to general part of /etc/wpa_supplicant.conf and set DEFAULT crypto policies but it did not work. The same message: CA certificate key too weak.

I will keep LEGACY setting. It works.

Thank you for your help.
Last edited by isadora on Nov 16th, '20, 12:33, edited 1 time in total.
Reason: Quoting the former message is not appropriate
hank
 
Posts: 9
Joined: Sep 29th, '16, 20:25


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest

cron