can't connect to eduroam due to SSL3 unsupported protocol

Discussion:

(too old to reply)

Vincent Lefevre

2024-06-17 12:10:01 UTC

Hi,

Under Debian/unstable, I can't connect to eduroam due to the following
reason:

Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Anyone knows what's wrong?

(There were such kinds of issues several years ago, but I thought
this was fixed.)

--
Vincent Lefèvre <***@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Marco Moock

2024-06-17 12:20:02 UTC

Permalink

Post by Vincent Lefevre
Anyone knows what's wrong?

If they really rely on SSL3.0 it is the fault of the network operator
because that protocol is outdated, has some vulnerabilities and is
deprecated for years. Most systems have it disabled by default.

--
Gruß
Marco

Send unsolicited bulk mail to ***@cartoonies.org

Richard

2024-06-17 12:50:01 UTC

Permalink

If your university still uses SSL 3.x instead on TLS there might be
something wrong.

You could check on cat.eduroam.org if there's an installer for your
university, that's usually the easiest way to set up eduroam. On paper,
Debian does support PWD, but in reality I was never able to use it, while
on Android that method isn't an issue.

But in the end, on sid, things are expected to break. So a bug report
through the official channels should be the right way, if it's something
that isn't explicitly unsupported.

Richard

Post by Vincent Lefevre
Hi,
Under Debian/unstable, I can't connect to eduroam due to the following
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD
EAP vendor 0 method 25 (PEAP) selected
Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local
SSL3 detected an error):fatal:protocol version
Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake -
SSL_connect error:0A000102:SSL routines::unsupported protocol
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Anyone knows what's wrong?
(There were such kinds of issues several years ago, but I thought
this was fixed.)
--
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Dan Ritter

2024-06-17 12:50:01 UTC

Permalink

Post by Vincent Lefevre
Hi,
Under Debian/unstable, I can't connect to eduroam due to the following
Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Anyone knows what's wrong?
(There were such kinds of issues several years ago, but I thought
this was fixed.)

On stable:
$ openssl list -disabled
Disabled algorithms:
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB

So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

The problem is almost certainly that someone at the eduroam
server config doesn't know the difference between SSL3 and
TLS1.3, or something similar. You'll need to talk to them about
why they haven't enabled TLS1, 1.1, 1.2 or 1.3 -- of these, only
1.2 and 1.3 are recommended.

-dsr-

Vincent Lefevre

2024-06-17 14:20:01 UTC

Permalink

Post by Dan Ritter
$ openssl list -disabled
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB
So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

That's strange because when I installed the machine in October,
there were no issues.

Dan Ritter

2024-06-17 19:30:01 UTC

Permalink

Post by Vincent Lefevre

Post by Dan Ritter
$ openssl list -disabled
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB
So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

That's strange because when I installed the machine in October,
there were no issues.

Perhaps the change is not in your system but in theirs?

-dsr-

Vincent Lefevre

2024-06-20 09:10:01 UTC

Permalink

Post by Dan Ritter

Post by Vincent Lefevre

Post by Dan Ritter
$ openssl list -disabled
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB
So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

That's strange because when I installed the machine in October,
there were no issues.

Perhaps the change is not in your system but in theirs?

I've got a confirmation that their Radius servers still use SSL3,
and they said that they could not upgrade them.

But perhaps the authentication is done differently when I connect
locally (still using eduroam)?

I could try again locally if need be.

Marco Moock

2024-06-20 09:10:01 UTC

Permalink

Post by Vincent Lefevre
I've got a confirmation that their Radius servers still use SSL3,
and they said that they could not upgrade them.

Then they have very, very outdated stuff. Talk to the security
department at your site, maybe they make them hurry up.

d***@tuxfamily.org

2024-06-21 12:10:01 UTC

Permalink

Hello

Post by Vincent Lefevre

Post by Dan Ritter
$ openssl list -disabled
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB
So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

That's strange because when I installed the machine in October,
there were no issues.

SSL v3 has been deprecated years ago, and replaced by TLS. SSLv3 support
in Debian has been
dropped a while ago, like most OSes (except obsolete ones, from 2016 and
before).

Even TLS 1.0 and 1.1 should be avoided whenever possible.

Maybe it worked because it used correct configuration/hardware/software.
If it supports SSLv3 and not TLS, it's outdated software.

The best thing you could do is to

- try debian stable form live USB to check if it also tries to use SSLv3
If it tries to use SSLv3 as well, chances are the authentification
server only offers SSLv3 and is outdated
If it doesn't and it connects using TLS (preferably v1.2 or 1.3), maybe
there a bug in Unstable, which leads the client (Debian unstable) to try
to use SSLv3 (erratically)
- contact your UNi Eduroam support to see if changed anything since last
October

Stefan Monnier

2024-06-17 14:20:02 UTC

Permalink

Post by Vincent Lefevre
Under Debian/unstable, I can't connect to eduroam due to the following

AFAIK, while "the eduroam" looks like one thing it's just a bunch of
local wifi networks, each one administered&managed mostly independently
and with different configurations. By and large, if you can connect to
eduroam at one place it's likely it'll also work elsewhere but it's not
always the case.

Stefan

Vincent Lefevre

2024-06-17 15:10:01 UTC

Permalink

Post by Stefan Monnier

Post by Vincent Lefevre
Under Debian/unstable, I can't connect to eduroam due to the following

Isn't the authentication done by the remote side, thus will always
require the same protocol for a given account?

Richard

2024-06-17 15:30:02 UTC

Permalink

There is a coordination, so you can use the same login data all over the
world. At least that's how it's supposed to work. But afaik the protocols
themselves aren't predefined. That's up to the local IT department how they
implement this. Authentication should always be done locally, with
synchronization between facilities. At least to my understanding, but I'm
no eduroam professional.

Richard

Am Mo., 17. Juni 2024 um 17:02 Uhr schrieb Vincent Lefevre <

Post by Vincent Lefevre
Isn't the authentication done by the remote side, thus will always
require the same protocol for a given account?
--
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Nicolas George

2024-06-17 15:40:02 UTC

Permalink

Post by Richard
There is a coordination, so you can use the same login data all over the
world. At least that's how it's supposed to work. But afaik the protocols
themselves aren't predefined. That's up to the local IT department how they
implement this. Authentication should always be done locally, with
synchronization between facilities. At least to my understanding, but I'm
no eduroam professional.

That would require that all establishments download and keep in sync the
whole database of users of all other establishments. That is not
sustainable, and I am not even talking about the privacy concerns.

What happens is the local Radius for Eduroam forwards the authentication
request to the Radius from the origin institution.

For example, if the security officer of here.edu knows there was an
incident on a local Eduroam IP, they can know it was authenticated for
“***@somewhere-else.edu”, and they need to ask to the security
officer of somewhere-else.edu to get further details.

Post by Richard
Am Mo., 17. Juni 2024 um 17:02 Uhr schrieb Vincent Lefevre <

Please do not top-post.

Regards,

--
Nicolas George