2

My office WiFi uses WPA & WPA2 Enterprise Security with PEAP authentication, and MSCHAPv2 for inner authentication.

Since upgrading to Ubuntu 22.04, I am unable to connect to my office WiFi. Here's what I get in my syslog when trying to connect...

wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=censored01.censored.local' hash=52e340fc31204b7f84c085407067b2bc1b320954930059e5358b51c453ff8f6e
wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:censored01.censored.local
wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=censored01.censored.local' hash=52e340fc31204b7f84c085407067b2bc1b320954930059e5358b51c453ff8f6e
wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:censored01.censored.local
wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=censored01.censored.local' hash=52e340fc31204b7f84c085407067b2bc1b320954930059e5358b51c453ff8f6e
wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:censored01.censored.local
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp0s20f3: Authentication with 58:b6:33:bb:19:4c timed out.
wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid=58:b6:33:bb:19:4c reason=3 locally_generated=1
wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Censored Secure" auth_failures=2 duration=28 reason=AUTH_FAILED
BSSID 58:b6:33:bb:19:4c ignore list count incremented to 2, ignoring for 10 seconds
wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Censored Secure" auth_failures=3 duration=32 reason=CONN_FAILED

I've done some searching for these error messages, and I've seen some recommendations to allow OpenSSL to "allow unsafe legacy renegotiations." That sounds unsafe, for obvious reasons, so I'm reluctant to try it without understanding more.

Is this a known bug in Ubuntu 22.04? Is there a workaround I'm unaware of? Is it safe to enable unsafe renegotiations?

(Edit: here's an Ubuntu bug tracker discussion, with the aforementioned workaround recommendation. I'd be happy to use the workaround, except that I'm worried it will cause security problems if I'm using WiFi elsewhere...)

John Chrysostom
  • 171
  • 1
  • 9
  • Hi John, I can't see the link to the bug tracker - is this the one? https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/7 – ThankYee May 15 '22 at 22:06
  • Here is a good and easy way to patch the issue ...: https://askubuntu.com/a/1405397/47501 – Antoon Stessels May 19 '22 at 07:23
  • Thanks @AntoonStessels. I've seen that option recommended, but I didn't know if it was safe to be disabling security features like that. Thankfully, in my case, my office IT folks were able to update our security infrastructure. Apparently, this issue only crops up with super-outdated WiFi security practices, so it's WAD from Ubuntu's perspective. (I'll leave it up to others to argue whether the Ubuntu change was a wise idea or not.) – John Chrysostom Jun 02 '22 at 12:33

2 Answers2

1

To fix the issue, you can downgrade to wpasupplicant 2.9.0 build 1

  1. Create a file "/etc/apt/sources.list.d/impish.list"
  2. Provide the below lines in the "impish.list" and save
    deb http://archive.ubuntu.com/ubuntu/ impish main restricted universe multiverse
    deb http://archive.ubuntu.com/ubuntu/ impish-updates main restricted universe multiverse
    deb http://archive.ubuntu.com/ubuntu/ impish-security main restricted universe multiverse
  1. sudo apt update
  2. sudo apt -y --allow-downgrades install wpasupplicant=2:2.9.0-21build1
  3. sudo apt-mark hold wpasupplicant

After the vendor releases a fix later, you can rollback the changes by

sudo rm -f /etc/apt/sources.list.d/impish.list

sudo apt-mark unhold wpasupplicant

sudo apt-get update

sudo apt-get install wpasupplicant

Sreejith Kumar S
  • 11
0

[UPDATE]

The impish source is no longer working. I used the following which worked:

  1. sudo nano /etc/apt/source.list
  2. Add to the end and save the following line:

deb http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse

  1. sudo apt update
  2. sudo apt -y --allow-downgrades install wpasupplicant=2:2.9-1ubuntu4.3
  3. sudo apt-mark hold wpasupplicant
Nik
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Community Mar 22 '23 at 19:17