NetworkManager fails to connect to enterprise network

[fee1-dead]

Describe the bug

There is more information on the Red Hat issue but the wpa_supplicant used by NetworkManager fails due to OpenSSL "unsafe legacy renegotiation disabled" error. This happens on networks from aruba on the unstable channel.

Steps To Reproduce

Steps to reproduce the behavior:

1. Connect to an enterprise network affected by this bug. (e.g. Aruba)
2. connection keeps prompting for passwords
3. fails to connect

Expected behavior

successfully connect to the enterprise network

Additional context

This might be an upstream issue, but there should at least be a configuration option that should change the openssl config used by wpa_supplicant used by networkmanager so that it is possible to connect to these networks.

Notify maintainers

@domenkozar @obadz @maxeaubrey

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.70, NixOS, 22.05 (Quokka), 22.05.3300.82379884b2e`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(root): `"home-manager-22.05.tar.gz, nixos"`
 - channels(user): `"home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

This is the metadata on the version that works (22.05)

[Myaats]

I had the same happen with eduroam at my institution, a quick look at how to override openssl I ended up with this workaround that does not require pulling down this patch: https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e

{
  systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" ''
    openssl_conf = openssl_init
    [openssl_init]
    ssl_conf = ssl_sect
    [ssl_sect]
    system_default = system_default_sect
    [system_default_sect]
    Options = UnsafeLegacyRenegotiation
  '';
}

[AmeerTaweel]

Two of my friends and I have the same issue with our university's network. We're the only NixOS users in university (as far as we know). All other students can connect normally.

@Myaats workaround did not work for us.

[fee1-dead]

@AmeerTaweel: We might have different issues. Do you mind sharing the log for wpa_supplicant?

[AmeerTaweel]

@fee1-dead sure, but can you please tell me the exact command to run? This is the first time I deal with wpa_supplicant...

[fee1-dead]

If you are using NetworkManager, then I guess journalctl? ..

[AmeerTaweel]

I just tried to connect to the university's network. This is the log:

Oct 25 16:17:09 fg001 dhcpcd[1008]: wlo1: old hardware address: 5e:b3:ea:7c:cb:bd
Oct 25 16:17:09 fg001 dhcpcd[1008]: wlo1: new hardware address: d0:c6:37:3e:44:c8
Oct 25 16:17:09 fg001 wpa_supplicant[1320]: wlo1: SME: Trying to authenticate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 16:17:09 fg001 kernel: wlo1: authenticate with d8:84:66:5d:7e:80
Oct 25 16:17:09 fg001 kernel: wlo1: send auth to d8:84:66:5d:7e:80 (try 1/3)
Oct 25 16:17:09 fg001 wpa_supplicant[1320]: wlo1: Trying to associate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 16:17:09 fg001 kernel: wlo1: authenticated
Oct 25 16:17:09 fg001 kernel: wlo1: associate with d8:84:66:5d:7e:80 (try 1/3)
Oct 25 16:17:09 fg001 kernel: wlo1: RX AssocResp from d8:84:66:5d:7e:80 (capab=0x411 status=0 aid=4)
Oct 25 16:17:09 fg001 wpa_supplicant[1320]: wlo1: Associated with d8:84:66:5d:7e:80
Oct 25 16:17:09 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Oct 25 16:17:09 fg001 kernel: wlo1: associated
Oct 25 16:17:09 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 25 16:17:10 fg001 kernel: wlo1: disassociated from d8:84:66:5d:7e:80 (Reason: 23=IEEE8021X_FAILED)
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-DISCONNECTED bssid=d8:84:66:5d:7e:80 reason=23
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KU" auth_failures=1 duration=10 reason=AUTH_FAILED
Oct 25 16:17:10 fg001 wpa_supplicant[1320]: BSSID d8:84:66:5d:7e:80 ignore list count incremented to 2, ignoring for 10 seconds
Oct 25 16:17:10 fg001 dhcpcd[1008]: wlo1: carrier lost
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-SSID-REENABLED id=0 ssid="KU"
Oct 25 16:17:21 fg001 kernel: wlo1: authenticate with d8:84:66:5d:7e:80
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: SME: Trying to authenticate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 16:17:21 fg001 kernel: wlo1: send auth to d8:84:66:5d:7e:80 (try 1/3)
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: Trying to associate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 16:17:21 fg001 kernel: wlo1: authenticated
Oct 25 16:17:21 fg001 kernel: wlo1: associate with d8:84:66:5d:7e:80 (try 1/3)
Oct 25 16:17:21 fg001 kernel: wlo1: RX AssocResp from d8:84:66:5d:7e:80 (capab=0x411 status=0 aid=4)
Oct 25 16:17:21 fg001 kernel: wlo1: associated
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: Associated with d8:84:66:5d:7e:80
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 25 16:17:21 fg001 kernel: wlo1: disassociated from d8:84:66:5d:7e:80 (Reason: 23=IEEE8021X_FAILED)
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-DISCONNECTED bssid=d8:84:66:5d:7e:80 reason=23
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: wlo1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KU" auth_failures=2 duration=35 reason=AUTH_FAILED
Oct 25 16:17:21 fg001 wpa_supplicant[1320]: BSSID d8:84:66:5d:7e:80 ignore list count incremented to 3, ignoring for 60 seconds
Oct 25 16:17:22 fg001 dhcpcd[1008]: wlo1: carrier lost
Oct 25 16:17:34 fg001 NetworkManager[1085]: <warn>  [1666703854.5926] device (wlo1): Activation: (wifi) association took too long
Oct 25 16:17:34 fg001 NetworkManager[1085]: <warn>  [1666703854.5940] device (wlo1): Activation: (wifi) asking for new secrets
Oct 25 16:17:34 fg001 .nm-applet-wrap[76974]: No keyring secrets found for KU/802-1x; asking user.
Oct 25 16:17:34 fg001 dbus-daemon[992]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.250' (uid=1000 pid=76974 comm="/nix/store/ifjw45vsjh07fgiyk15d93chm2nw55vf-networ" label="kernel")
Oct 25 16:17:34 fg001 systemd[1]: Starting Hostname Service...
Oct 25 16:17:34 fg001 dbus-daemon[992]: [system] Successfully activated service 'org.freedesktop.hostname1'
Oct 25 16:17:34 fg001 systemd[1]: Started Hostname Service.
Oct 25 16:17:36 fg001 NetworkManager[1085]: <warn>  [1666703856.2863] device (wlo1): no secrets: User canceled the secrets request.
Oct 25 16:17:36 fg001 dhcpcd[1008]: wlo1: old hardware address: d0:c6:37:3e:44:c8
Oct 25 16:17:36 fg001 dhcpcd[1008]: wlo1: new hardware address: 1e:e9:1c:ac:33:45
Oct 25 16:17:36 fg001 NetworkManager[1085]: <warn>  [1666703856.2956] device (wlo1): Activation: failed for connection 'KU'
Oct 25 16:18:04 fg001 systemd[1]: systemd-hostnamed.service: Deactivated successfully.

[fee1-dead]

You might need to decrease the minimum supported TLS version. In the openssl conf for wpa_supplicant, try adding these two lines:

MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1

[AmeerTaweel]

I tried adding these lines to systemd.services.wpa_supplicant.environment.OPENSSL_CONF, and it did not work. Here are the new logs:

Oct 25 20:52:04 fg001 systemd[1]: Starting WPA supplicant...
Oct 25 20:52:04 fg001 wpa_supplicant[204780]: Successfully initialized wpa_supplicant
Oct 25 20:52:04 fg001 systemd[1]: Started WPA supplicant.
Oct 25 20:52:04 fg001 nixos[201796]: finished switching to system configuration /nix/store/l2mavv7m2brlqg7jbhzngyrz5dmgpv7y-nixos-system-fg001-22.11.20221021.93e0ac1
Oct 25 20:52:04 fg001 sudo[201795]: pam_unix(sudo:session): session closed for user root
Oct 25 20:52:04 fg001 sudo[200472]: pam_unix(sudo:session): session closed for user root
Oct 25 20:52:13 fg001 NetworkManager[1085]: <warn>  [1666720333.2781] device (wlo1): re-acquiring supplicant interface (#1).
Oct 25 20:52:42 fg001 sxhkd[77951]: [77987:78003:1025/205242.080055:ERROR:ssl_client_socket_impl.cc(983)] handshake failed; returned -1, SSL error code 1, net_error -107
Oct 25 20:52:42 fg001 sxhkd[77951]: [77987:78003:1025/205242.088870:ERROR:ssl_client_socket_impl.cc(983)] handshake failed; returned -1, SSL error code 1, net_error -107
Oct 25 20:52:42 fg001 sxhkd[77951]: [77987:78003:1025/205242.107725:ERROR:ssl_client_socket_impl.cc(983)] handshake failed; returned -1, SSL error code 1, net_error -107
Oct 25 20:52:42 fg001 sxhkd[77951]: [77987:78003:1025/205242.118589:ERROR:ssl_client_socket_impl.cc(983)] handshake failed; returned -1, SSL error code 1, net_error -107
Oct 25 20:52:48 fg001 dhcpcd[1008]: wlo1: old hardware address: 7e:02:5a:13:77:0d
Oct 25 20:52:48 fg001 dhcpcd[1008]: wlo1: new hardware address: d0:c6:37:3e:44:c8
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: SME: Trying to authenticate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 20:52:48 fg001 kernel: wlo1: authenticate with d8:84:66:5d:7e:80
Oct 25 20:52:48 fg001 kernel: wlo1: send auth to d8:84:66:5d:7e:80 (try 1/3)
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: Trying to associate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 20:52:48 fg001 kernel: wlo1: authenticated
Oct 25 20:52:48 fg001 kernel: wlo1: associate with d8:84:66:5d:7e:80 (try 1/3)
Oct 25 20:52:48 fg001 kernel: wlo1: RX AssocResp from d8:84:66:5d:7e:80 (capab=0x411 status=0 aid=5)
Oct 25 20:52:48 fg001 kernel: wlo1: associated
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: Associated with d8:84:66:5d:7e:80
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 25 20:52:48 fg001 kernel: wlo1: disassociated from d8:84:66:5d:7e:80 (Reason: 23=IEEE8021X_FAILED)
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-DISCONNECTED bssid=d8:84:66:5d:7e:80 reason=23
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KU" auth_failures=1 duration=10 reason=AUTH_FAILED
Oct 25 20:52:48 fg001 wpa_supplicant[204780]: BSSID d8:84:66:5d:7e:80 ignore list count incremented to 2, ignoring for 10 seconds
Oct 25 20:52:49 fg001 dhcpcd[1008]: wlo1: carrier lost
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-SSID-REENABLED id=0 ssid="KU"
Oct 25 20:52:59 fg001 kernel: wlo1: authenticate with d8:84:66:5d:7e:80
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: SME: Trying to authenticate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 20:52:59 fg001 kernel: wlo1: send auth to d8:84:66:5d:7e:80 (try 1/3)
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: Trying to associate with d8:84:66:5d:7e:80 (SSID='KU' freq=5220 MHz)
Oct 25 20:52:59 fg001 kernel: wlo1: authenticated
Oct 25 20:52:59 fg001 kernel: wlo1: associate with d8:84:66:5d:7e:80 (try 1/3)
Oct 25 20:52:59 fg001 kernel: wlo1: RX AssocResp from d8:84:66:5d:7e:80 (capab=0x411 status=0 aid=5)
Oct 25 20:52:59 fg001 kernel: wlo1: associated
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: Associated with d8:84:66:5d:7e:80
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=KUADRAD01.kocun.dslocal' hash=8bd1292d3828a5d6fbb08741ff15f8b7688fe7e53ad27a0ea88a8fac99696d27
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:KUADRAD01.kocun.dslocal
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Oct 25 20:52:59 fg001 kernel: wlo1: disassociated from d8:84:66:5d:7e:80 (Reason: 23=IEEE8021X_FAILED)
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-DISCONNECTED bssid=d8:84:66:5d:7e:80 reason=23
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: wlo1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KU" auth_failures=2 duration=36 reason=AUTH_FAILED
Oct 25 20:52:59 fg001 wpa_supplicant[204780]: BSSID d8:84:66:5d:7e:80 ignore list count incremented to 3, ignoring for 60 seconds
Oct 25 20:53:00 fg001 dhcpcd[1008]: wlo1: carrier lost
Oct 25 20:53:13 fg001 NetworkManager[1085]: <warn>  [1666720393.2713] device (wlo1): Activation: (wifi) association took too long
Oct 25 20:53:13 fg001 NetworkManager[1085]: <warn>  [1666720393.2729] device (wlo1): Activation: (wifi) asking for new secrets
Oct 25 20:53:13 fg001 .nm-applet-wrap[76974]: No keyring secrets found for KU/802-1x; asking user.
Oct 25 20:53:13 fg001 dbus-daemon[992]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.250' (uid=1000 pid=76974 comm="/nix/store/ifjw45vsjh07fgiyk15d93chm2nw55vf-networ" label="kernel")
Oct 25 20:53:13 fg001 systemd[1]: Starting Hostname Service...
Oct 25 20:53:13 fg001 dbus-daemon[992]: [system] Successfully activated service 'org.freedesktop.hostname1'
Oct 25 20:53:13 fg001 systemd[1]: Started Hostname Service.
Oct 25 20:53:15 fg001 NetworkManager[1085]: <warn>  [1666720395.3063] device (wlo1): no secrets: User canceled the secrets request.
Oct 25 20:53:15 fg001 dhcpcd[1008]: wlo1: old hardware address: d0:c6:37:3e:44:c8
Oct 25 20:53:15 fg001 dhcpcd[1008]: wlo1: new hardware address: 0e:bc:05:ef:1b:3f
Oct 25 20:53:15 fg001 NetworkManager[1085]: <warn>  [1666720395.3153] device (wlo1): Activation: failed for connection 'KU'

[AmeerTaweel]

Nvm, my problem is solved.
Yesterday, I updated my flake and it solved the problem. It's not like I had an old version, mine was just around two weeks old, but it seems like they fixed the problem...

[nilp0inter]

I am also affected by this one using nixos-22.11.

> $ nix-shell -p nix-info --run "nix-info -m"                         
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.82, NixOS, 22.11 (Raccoon), 22.11.20221211.dfef2e6`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.0`
 - channels(root): `"nixos-22.11"`
 - channels(nil): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

These are the relevant logs:

dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=ES
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: SME: Trying to authenticate with 2a:3f:1b:xx:xx:xx (SSID='XXXXX' freq=5260 MHz)
dic 12 13:39:12 absolut kernel: wlan0: authenticate with 2a:3f:1b:xx:xx:xx
dic 12 13:39:12 absolut kernel: wlan0: send auth to 2a:3f:1b:xx:xx:xx (try 1/3)
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: Trying to associate with 2a:3f:1b:xx:xx:xx (SSID='XXXXX' freq=5260 MHz)
dic 12 13:39:12 absolut kernel: wlan0: authenticated
dic 12 13:39:12 absolut kernel: wlan0: associate with 2a:3f:1b:xx:xx:xx (try 1/3)
dic 12 13:39:12 absolut kernel: wlan0: RX AssocResp from 2a:3f:1b:xx:xx:xx (capab=0x1511 status=0 aid=5)
dic 12 13:39:12 absolut kernel: wlan0: associated
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: Associated with 2a:3f:1b:xx:xx:xx
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=26 -> NAK
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
dic 12 13:39:12 absolut wpa_supplicant[1579]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
dic 12 13:39:12 absolut wpa_supplicant[1579]: OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled
dic 12 13:39:12 absolut kernel: wlan0: Limiting TX power to 20 (23 - 3) dBm as advertised by 2a:3f:1b:xx:xx:xx
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
dic 12 13:39:12 absolut kernel: wlan0: deauthenticated from 2a:3f:1b:xx:xx:xx (Reason: 23=IEEE8021X_FAILED)
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-DISCONNECTED bssid=2a:3f:1b:xx:xx:xx reason=23
dic 12 13:39:12 absolut wpa_supplicant[1579]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="XXXXX" auth_failures=1 duration=10 reason=AUTH_FAILED
dic 12 13:39:12 absolut wpa_supplicant[1579]: BSSID 2a:3f:1b:xx:xx:xx ignore list count incremented to 2, ignoring for 10 seconds

Thanks to @Myaats , their workaround did the trick.

[nikp123]

I tried to dig around myself what the issue actually was and I think it might be a NetworkManager bug, as it is IMPOSSIBLE to set 802-1x.phase1-auth-flags to anything (although in theory you could enable older TLS support with it). Setting it manually in the .nmconnection file would just make the file unreadable to NetworkManager. I think we might need their maintainers help.

Screenshot attachment for proof.

[nikp123]

The flags are undocumented, however if you take a look at their repo they look like:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/libnm-core-public/nm-setting-8021x.h#L84

[dotlambda]

I think it might be a NetworkManager bug

It's not. The same issue occurs when using wpa_supplicant without NetworkManager.

[nikp123]

So I'm guessing the real cause is OpenSSL raising the minimum TLS version?

[Myaats]

I tried to dig around myself what the issue actually was and I think it might be a NetworkManager bug, as it is IMPOSSIBLE to set 802-1x.phase1-auth-flags to anything (although in theory you could enable older TLS support with it). Setting it manually in the .nmconnection file would just make the file unreadable to NetworkManager. I think we might need their maintainers help.

Screenshot attachment for proof.

The flags to enable legacy TLS versions were commited to the main branch after the release of NetworkManager currently in nixpkgs. It has also not been backported to the 1.40 release series and there are no stable releases with it unless I missed something.

I think the easiest way to solve it for now is just to override the openssl config manually as I previously showed.

[nikp123]

I think the easiest way to solve it for now is just to override the openssl config manually as I #193646 (comment).

Unfortunately it didn't work for me, it still kept TLSv1.0 disabled even with the custom OpenSSL version. (Maybe something in my config broke it) But THANKFULLY there is yet another solution.

For those reading, please try @Myaats solution first, then mine:

1. Enable the iwd backend in NetworkManager:

{
  ...
  networking.networkmanager.wifi.backend = "iwd";
  ...
}

2. Rebuild your nixOS install
3. Then instead of using the GUI, create the file at /var/lib/iwd/YOUR_SSID_HERE.8021x
   3.1. PS: but before you do that please delete the old NetworkManager-based config as this won't work then
4. Fill it with a sample config at https://wiki.archlinux.org/title/Iwd#EAP-PEAP (as an example)
5. Try to connect to it with nmtui or any other NetworkManager tool
6. If it doesn't work use sudo journalctl -u iwd.service for debugging

Thank you and have a nice day.

[Zahrun]

I have added the below lines to my config:

systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" ''
    openssl_conf = openssl_init
    [openssl_init]
    ssl_conf = ssl_sect
    [ssl_sect]
    system_default = system_default_sect
    [system_default_sect]
    MinProtocol = TLSv1.0
    CipherString = DEFAULT@SECLEVEL=1
    Options = UnsafeLegacyRenegotiation
  '';

However, I still get the error:

Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="AMRITA-Connect"
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: SME: Trying to authenticate with 0c:f4:d5:19:a1:18 (SSID='AMRITA-Connect' freq=2437 MHz)
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: Trying to associate with 0c:f4:d5:19:a1:18 (SSID='AMRITA-Connect' freq=2437 MHz)
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: Associated with 0c:f4:d5:19:a1:18
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=Stu-DC1.am.students.amrita.edu' hash=a45dcc7e92e03f5c4471420a8687d16449fcbdc64dd87199e84ac75e4e19c5b3
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:Stu-DC1.am.students.amrita.edu
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=Stu-DC1.am.students.amrita.edu' hash=a45dcc7e92e03f5c4471420a8687d16449fcbdc64dd87199e84ac75e4e19c5b3
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:Stu-DC1.am.students.amrita.edu
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=Stu-DC1.am.students.amrita.edu' hash=a45dcc7e92e03f5c4471420a8687d16449fcbdc64dd87199e84ac75e4e19c5b3
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:Stu-DC1.am.students.amrita.edu
Jan 28 12:20:50 nixos wpa_supplicant[14394]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
Jan 28 12:20:50 nixos wpa_supplicant[14394]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error
Jan 28 12:20:50 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jan 28 12:20:52 nixos wpa_supplicant[14394]: wlp82s0: Authentication with 0c:f4:d5:19:a1:18 timed out.
Jan 28 12:20:52 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-DISCONNECTED bssid=0c:f4:d5:19:a1:18 reason=3 locally_generated=1
Jan 28 12:20:52 nixos wpa_supplicant[14394]: wlp82s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="AMRITA-Connect" auth_failures=2 duration=35 reason=AUTH_FAILED
Jan 28 12:20:52 nixos wpa_supplicant[14394]: BSSID 0c:f4:d5:19:a1:18 ignore list count incremented to 2, ignoring for 10 seconds

I am not willing to use iwd. How can we fix this issue?

[Zahrun]

I found this as the solution implemented in Ubuntu https://launchpadlibrarian.net/605188576/wpa_2%3A2.10-6ubuntu1_2%3A2.10-6ubuntu2.diff.gz

[fee1-dead]

@Zahrun that TLS version is really low and doesn't seem to be secure. It is unrelated to this issue though.

[Zahrun]

Well it is somewhat related since my issue is "NetworkManager fails to connect to enterprise network" and it is due to OpenSSL security (or rather my university WiFi using unsecure protocols, but that is harder to change).
I found a solution thank to https://unix.stackexchange.com/a/561516/558468
So in NixOS I implemented as:

• a configuration file (e.g. /etc/wpa_supplicant/wpa_supplicant.conf) which contains:

openssl_ciphers=DEFAULT@SECLEVEL=0

• in configuration.nix:

systemd.services.wpa_supplicant.serviceConfig.ExecStart = [
    ""
    "${pkgs.wpa_supplicant}/sbin/wpa_supplicant -u -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf -N -i wlp82s0 -c /etc/wpa_supplicant/wpa_supplicant.conf"
  ];

Now I can connect to WiFi.

EDIT: If anyone runs into the same situation, below is the solution I use for my own configuration. Please be aware that this will remove all security check on all wifi interfaces and set the security level to 0. I think a better solution would be to implement Ubuntu’s patch to wpa_supplicant. However if you decide that you want to be able to connect to unsafe network even though you understand the security concern, here is my local workaround:
configuration.nix

  # fix for unsafe entreprise wifi connection
systemd.services.wpa_supplicant = {
    serviceConfig.ExecStart = [
      ""
      "/etc/nixos/wpa_supplicant.sh"
    ];
    path = with pkgs; [bash libnotify wirelesstools wpa_supplicant];
  };
# detect wlan devices changes
  services.udev.extraRules = " ''
  ENV{DEVTYPE}==\"wlan\", ACTION==\"remove\", RUN+=\"${pkgs.systemd}/bin/systemctl restart wpa_supplicant && ${pkgs.systemd}/bin/systemctl restart NetworkManager\"
  ENV{DEVTYPE}==\"wlan\", ACTION==\"add\", RUN+=\"${pkgs.systemd}/bin/systemctl restart wpa_supplicant && ${pkgs.systemd}/bin/systemctl restart NetworkManager\"
  '' ";

wpa_supplicant.sh

#!/usr/bin/env bash

COMMAND="wpa_supplicant -u"

for dev in `ls /sys/class/net`; do
    [ -d "/sys/class/net/$dev/wireless" ] && COMMAND="${COMMAND} -i ${dev} -c /etc/nixos/wpa_supplicant.conf -N"
done

${COMMAND::-3}

wpa_supplicant.conf

openssl_ciphers=DEFAULT@SECLEVEL=0

EDIT2: a better solution is already in the wpa_supplicant upstream repo #219390

[Zahrun]

@fee1-dead,

Upstream, being aware of the issue you faced, implemented an option in wpa_supplicant.conf allow_unsafe_renegotiation https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e

Debian bookworm uses this patch to fix the issue https://sources.debian.org/patches/wpa/2:2.10-11/allow-legacy-renegotiation.patch/
Should we include this in NixOS too?