1

Recently upgraded to Ubuntu 22.04, and had some issues activating my eduroam WiFi connection. Specifically, I got the following message in syslog:

Mai 04 11:42:11 sliver wpa_supplicant[687]: TLS: Certificate verification failed, error 68 (CA signature digest algorithm too weak) depth 0 for '/C=DK/ST=Denmark/O=Aalborg Universitet/OU=IT Services/CN=wifi.aau.dk'

Right now, I can only activate the eduroam connection when I do not use a certificate. Looking at it with openssl x509 ..., it seems the certificate is still using SHA-1.

Is this an issue to be fixed by the cert issuer (i.e. my university's IT ppl), or is it an issue with the update to 22.04?

Florian Echtler
  • 2,658
  • 1
    SHA1 certificates are deprecated for endpoint certs in modern security. This needs fixed by the university's IT staff. The enforcement of the deprecation is a result of the update to 22.04 and a stronger default securitg level, but the fix needs your university's IT staff to update the certificates in use to be sha256 signed and not sha1 signed. – Thomas Ward May 04 '22 at 12:44
  • OK, thanks for confirming, that's what I suspected as well. Ironically, my connection is currently less secure because I'm running without any certificate. Any suggestions for how to temporarily allow the old SHA1-based signatures again? – Florian Echtler May 04 '22 at 19:56
  • See my answer, I put an answer in that plays off another answer, but I got busy and couldn't write this sooner. – Thomas Ward May 05 '22 at 00:58
  • I know this isn't super helpful but I brought my dual boot 22.04 laptop into the office yesterday and didn't have issues with eduroam. Note - I hadn't connected my Linux partition to eduroam before so I didn't have the cert there on 20.04. – Will Butler May 05 '22 at 02:26
  • @WillButler chances are Eduroam is set up properly with a SHA256-signed certificate in your eduroam environment. That isn't going to be the case at other locations. – Thomas Ward May 05 '22 at 02:40

1 Answers1

5

The issue here is because of Ubuntu following the OpenSSL 3 migration, and having a default security level of 2. The default security levels can be explained here (under "Default Callback Behavior") explaining what each level means in OpenSSL 3.0. Ubuntu uses the default level of 2 on the versions of OpenSSL it ships.

As of Ubuntu 22.04 Jammy, OpenSSL uses the default security level of 2. In the OpenSSL 3.0 migration guide changes were made to the OpenSSL default of level 1 such that "X509 certificates signed using SHA1 are no longer allowed at security level 1 and above." Unfortunately, because SHA1 certificates are 'insecure' now, you have to drop your config down to the security level of 0 which lets everything be accepted. Which is insecure, but until your IT group updates the certs, you don't have much of a choice here.

Per this answer, you should be able to adjust your configuration to use the older security defaults. I've adapted those instructions here.

Edit your /etc/ssl/openssl.cnf file. At the beginning of the file, add this:

openssl_conf = default_conf

[ default_conf ]


ssl_conf = ssl_sect


[ssl_sect]


system_default = system_default_sect


[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=0

Then reboot your system to make sure that the security levels are properly set, and test connecting. You should no longer have this issue. Be advised that this reduces the overall security of your system and may leave you open to vulnerabilities in older protocols and security ciphers in use on older sites or intentionally malicious sites.

Ultimately, the IT group of your university needs to reissue the certificate with a SHA256 signature and apply it to the eduroam infrastructure on their end. The aforementioned approach to reduce the security defaults is not guaranteed to be secure since SHA1 signed certificates are considered deprecated now by SSL standards. You should remove the configuration that is done here as soon as the IT team updates their certificates.

Alternatively dont use a cert with your eduroam connection in the interim.

Thomas Ward
  • 74,764
  • 1
    Thank you, very comprehensive summary. I guess I'll leave the overall OpenSSL settings well alone, and will just not use a cert on my eduroam connection for now. – Florian Echtler May 05 '22 at 13:07
  • 1
    An alternative solution, only affecting wifi connections and not every usage of openssl in the system, is described here: https://ubuntuforums.org/showthread.php?t=2474436 – Fabio May 23 '22 at 12:01