NM doesnt allow to configure phase2 certificate for wpasupplicant (Was: Fail to connect with TLS and client certificate)

15:46 < asac> torkel: TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2
15:46 < asac> torkel: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
15:46 < asac> so your CA appears to be not known
15:48 < asac> torkel: http://www.madboa.com/geek/openssl/#verify-standard
15:48 < asac> torkel: can you try that?

$ openssl verify -verbose -CAfile umueduroamca.pem umu_eduroam_bjto0001.pem
umu_eduroam_bjto0001.pem: OK

So, yes the certificate is OK.

However if I remove the CA certificate (I still have it in /etc/ssl/certs though) it seems to be working (I will test more tomorrow).

When trying to readd the CA certificate in the n-m connection manager I get the following error:

Updating connection failed: client cert

latest comments in bug 272185 look similar. thats about wireless + tls (EAP). i think

ok. as you commented in 272185, this is a dupe. lets continue there.

Alexander, I don't think that this bug is the same as 272185. It might be related but it is not the same.

I have the problem that when setting up an WPA2/EAP/TLS network in nm 0.7, I get an error when I try to save the setup.

The error is in the wireless security tab. After completing the login information, selecting the 3 certificates (user cert, Ca cert and PK cert) and specifying the private key password. I press OK and I get: Updating Connection Failed: client-cert.

This has been happening since nm 0.7 in hardy when I was testing this summer. It continues to this day.

Ok. I checked again. The bug on the gui only happens when you try to edit the settings already in place. It does not happen when you first create the eap network.

I'm not sure it's really solved.

If I try to connect with a fresh setup from the network manager gui, it works but /var/log/wpa_supplicant.log contains:

CTRL-EVENT-SCAN-RESULTS
Associated with 00:1e:be:a7:f6:90
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:1e:be:a7:f6:90 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:1e:be:a7:f6:90 completed (reauth) [id=0 id_str=]

So it seems it didn't succeed to validate the certificate... but it continues (dangerous)

If I try to update the settings, it doesn't work because of a self-certificate in the certificate chain:

Associated with 00:1e:be:a8:38:20
CTRL-EVENT-SCAN-RESULTS
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

So my hypothesis is that we have two bugs:

- one with no validation of certificate when settings are new
- one with strange validation of root certificate (of course it's a self certfiicate ! ;-)