Comment 215 for bug 1104476

(In reply to Dan Williams from comment #3)
> (In reply to Kevin Havener from comment #0)
> > Description of problem: After updating to wpa_supplicant 2.4-3 on July 1,
> > was unable to connect to my corporate wifi access point. Subsequent
> > downgrade to wpa_supplicant 2.3-3 fixed access problem, so I think this is a
> > wpa_supplicant bug
> >
> >
> > Version-Release number of selected component (if applicable): wpa_supplicant
> > 2.4-3
> >
> >
> > How reproducible: Upgrade to 2.4-3 try to access wpa/wpa2 wifi with TTLS
> > authentication that has been working for well over a year now. Fails.
> > Downgrade to 2.3-3 and it works again.
>
> This appears to be an OpenSSL issue, not a wpa_supplicant one:
>
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
> OpenSSL: openssl_handshake - SSL_connect error:14082174:SSL
> routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
> wlp12s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
>
> for exmaple, see:
>
> https://bbs.archlinux.org/viewtopic.php?id=198796
> http://alicevixie.blogspot.com/2015/06/dh-key-too-small.html

More info: wpa_supplicant 2.4 may trigger this where 2.3 would not, becuase 2.4 enables some new ciphers for use with TLSv1.2, and the server may have enabled DH only for those ciphers that are now enabled.

The options are to either get your network admins to fix the DH key issue by using something > 768 bits, or to disable TLSv1.2 for now until they fix it.

But as a test, here's a wpa_supplicant with TLSv1.2 disabled by default. If you could test it on your network where you get the "dh key too small" error to see if that fixes the issue, then great, we can proceed with a more general solution. But if it doesn't fix the issue, then we'll need to dig a bit deeper and there may not be a general fix.

http://koji.fedoraproject.org/koji/taskinfo?taskID=10392924