Page 1 of 1

[SOLVED] CA certificate key too weak

PostPosted: Oct 26th, '20, 09:34
by hank
Our institution uses wifi eduroam network with login via certificates (Radius server). It was working fine. But suddenly I cannot connect anymore.

rsyslog reports from wpa_supplicant 'err= CA certificate key too weak'

The CA certificate according
Code: Select all
keytool -printcert -file root.pem
...
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 1024-bit RSA key (weak)
...


How to switch to a lower security policy? I tried
Code: Select all
update-crypto-policies --set NEXT

and restart but it did not help.

OS: MGA 7.1 64 bit Plasma
To connect I tried both nm-applet and plasma-applet-nm.

Thanks for any advice.

Re: CA certificate key too weak

PostPosted: Oct 26th, '20, 17:57
by doktor5000
Try again after
Code: Select all
update-crypto-policies --set LEGACY

AFAICT there is no "NEXT" setting, only default, legacy, future and FIPS

You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.

Re: CA certificate key too weak

PostPosted: Oct 29th, '20, 07:42
by hank
doktor5000 wrote:Try again after
Code: Select all
update-crypto-policies --set LEGACY


Thank you doktor5000. This command helped (after restart). Now it is working.

doktor5000 wrote:You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.

I did not applied this command. It was not necessary.

Once again thank you.

Re: CA certificate key too weak

PostPosted: Oct 29th, '20, 17:31
by doktor5000
hank wrote:Thank you doktor5000. This command helped (after restart). Now it is working.

Well, you should keep in mind that this severely downgrades the security baselevel for everything related to SSL and certificates.
It was mainly intended as a workaround to check if it helps at all.

hank wrote:
doktor5000 wrote:You could also try to set "tls_disable_tlsv1_0=0" in /etc/wpa_supplicant.conf. Although off hand I don't know how to specify the same for the wpa_supplicant instance that is spawned by networkmanager, you'd have to try.

I did not applied this command. It was not necessary.

See above, this would be the proper way to fix this.

Re: CA certificate key too weak

PostPosted: Oct 30th, '20, 08:26
by hank
In /etc/sysconfig/wpa_supplicant is OTHER_ARGS="-s -c /etc/wpa_supplicant.conf" thus I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf. But (at update_crypto_policy DEFAULT) it did not solve the network connection issue.

I think I can keep the workaround solution (as you wrote): update_crypto_policy LEGACY.

Re: CA certificate key too weak

PostPosted: Oct 30th, '20, 17:28
by doktor5000
hank wrote:I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf.


Where did you place that ?

Re: CA certificate key too weak

PostPosted: Oct 31st, '20, 11:11
by hank
doktor5000 wrote:
hank wrote:I tried to set "tls_disable_tlsv1_0=0" directly in /etc/wpa_supplicant.conf.


Where did you place that ?


As I wrote -- in /etc/wpa_supplicant.conf (somewhere at the beginning). I thought that networkmanager uses this config file beacuse in /etc/sysconfig/wpa_supplicant is
Code: Select all
...
OTHER_ARGS="-s -c /etc/wpa_supplicant.conf"
...


It was not the right place?

Re: [SOLVED] CA certificate key too weak

PostPosted: Oct 31st, '20, 11:42
by doktor5000
AFAICT it should be in the configuration stanza for your network, not in the global part.
Also have a look at the man page for wpa_supplicant https://linux.die.net/man/5/wpa_supplicant.conf and the example config file.

Re: [SOLVED] CA certificate key too weak

PostPosted: Nov 5th, '20, 08:15
by hank
As I understand the networkmanager saves wpa_supplicant configuration to /etc/sysconfig/network-scripts/ to a separate file for each network. It seems that these config files have a slightly different syntax compared to wpa_supplicant.conf, doesn't it? Thus I do not know how to add the required command.

Re: [SOLVED] CA certificate key too weak

PostPosted: Nov 5th, '20, 18:22
by doktor5000
If you are talking about the files below /etc/sysconfig/network-scripts/wireless.d/ then no, those are leftovers from net_applet / MCC and they are not used by networkmanager.

Re: [SOLVED] CA certificate key too weak

PostPosted: Nov 6th, '20, 11:50
by hank
doktor5000 wrote:If you are talking about the files below /etc/sysconfig/network-scripts/wireless.d/ then no, those are leftovers from net_applet / MCC and they are not used by networkmanager.


No, not in wireless.d folder. My networkmanager config for my eduroam network is in /etc/sysconfig/network-scripts/ifcfg-eduroam file:
Code: Select all
ESSID=eduroam
MODE=Managed
KEY_MGMT=WPA-EAP
MAC_ADDRESS_RANDOMIZATION=default
TYPE=Wireless
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=xuser@organization.com
IEEE_8021X_CA_CERT=/home/xuser/.cert/root.pem
IEEE_8021X_PRIVATE_KEY=/home/xuser/.cert/user-xuser.pem
IEEE_8021X_CLIENT_CERT=/home/xuser/.cert/user-xuser.pem
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PRIVACY=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eduroam
UUID=596cda5e-2a45-4855-99dd-9a8c5976cafc
ONBOOT=yes


I think that it is where nm saves setting for my eduroam connection. Thus I wanted to type tls_disable_tlsv1 command into this file. But it did not have any effect.

Re: [SOLVED] CA certificate key too weak

PostPosted: Nov 6th, '20, 17:18
by doktor5000
No, that's the classic ifcfg file which is only read via the rh-ifcfg plugin by networkmanager.
Networkmanager still uses the settings from /etc/wpa_supplicant.conf depending on what you selected how it should store your password.

Re: [SOLVED] CA certificate key too weak

PostPosted: Nov 16th, '20, 11:56
by hank
Sorry for my delayed response.

I tried to add the "tls_disable_tlsv1_0=0" to general part of /etc/wpa_supplicant.conf and set DEFAULT crypto policies but it did not work. The same message: CA certificate key too weak.

I will keep LEGACY setting. It works.

Thank you for your help.