1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • can't connect to eduroam due to SSL3 unsupported protocol

    From Vincent Lefevre@21:1/5 to All on Mon Jun 17 14:10:01 2024
    Hi,

    Under Debian/unstable, I can't connect to eduroam due to the following
    reason:

    Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
    Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed

    Anyone knows what's wrong?

    (There were such kinds of issues several years ago, but I thought
    this was fixed.)

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jun 17 14:20:02 2024
    Am 17.06.2024 um 14:07:13 Uhr schrieb Vincent Lefevre:

    Anyone knows what's wrong?

    If they really rely on SSL3.0 it is the fault of the network operator
    because that protocol is outdated, has some vulnerabilities and is
    deprecated for years. Most systems have it disabled by default.

    --
    Gruß
    Marco

    Send unsolicited bulk mail to 1718626033muell@cartoonies.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Vincent Lefevre on Mon Jun 17 14:50:01 2024
    Vincent Lefevre wrote:
    Hi,

    Under Debian/unstable, I can't connect to eduroam due to the following reason:

    Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
    Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
    Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed

    Anyone knows what's wrong?

    (There were such kinds of issues several years ago, but I thought
    this was fixed.)

    On stable:
    $ openssl list -disabled
    Disabled algorithms:
    IDEA
    MD2
    MDC2
    RC5
    SCTP
    SSL3
    ZLIB

    So, SSL3 support was removed at least that long ago. I think it
    was actually dropped around 2016.

    The problem is almost certainly that someone at the eduroam
    server config doesn't know the difference between SSL3 and
    TLS1.3, or something similar. You'll need to talk to them about
    why they haven't enabled TLS1, 1.1, 1.2 or 1.3 -- of these, only
    1.2 and 1.3 are recommended.

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to Dan Ritter on Mon Jun 17 16:20:01 2024
    On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
    On stable:
    $ openssl list -disabled
    Disabled algorithms:
    IDEA
    MD2
    MDC2
    RC5
    SCTP
    SSL3
    ZLIB

    So, SSL3 support was removed at least that long ago. I think it
    was actually dropped around 2016.

    That's strange because when I installed the machine in October,
    there were no issues.

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stefan Monnier@21:1/5 to All on Mon Jun 17 16:20:02 2024
    Under Debian/unstable, I can't connect to eduroam due to the following reason:

    AFAIK, while "the eduroam" looks like one thing it's just a bunch of
    local wifi networks, each one administered&managed mostly independently
    and with different configurations. By and large, if you can connect to
    eduroam at one place it's likely it'll also work elsewhere but it's not
    always the case.


    Stefan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to Stefan Monnier on Mon Jun 17 17:10:01 2024
    On 2024-06-17 10:18:09 -0400, Stefan Monnier wrote:
    Under Debian/unstable, I can't connect to eduroam due to the following reason:

    AFAIK, while "the eduroam" looks like one thing it's just a bunch of
    local wifi networks, each one administered&managed mostly independently
    and with different configurations. By and large, if you can connect to eduroam at one place it's likely it'll also work elsewhere but it's not always the case.

    Isn't the authentication done by the remote side, thus will always
    require the same protocol for a given account?

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicolas George@21:1/5 to All on Mon Jun 17 17:40:02 2024
    Richard (12024-06-17):
    There is a coordination, so you can use the same login data all over the world. At least that's how it's supposed to work. But afaik the protocols themselves aren't predefined. That's up to the local IT department how they implement this. Authentication should always be done locally, with synchronization between facilities. At least to my understanding, but I'm
    no eduroam professional.

    That would require that all establishments download and keep in sync the
    whole database of users of all other establishments. That is not
    sustainable, and I am not even talking about the privacy concerns.

    What happens is the local Radius for Eduroam forwards the authentication request to the Radius from the origin institution.

    For example, if the security officer of here.edu knows there was an
    incident on a local Eduroam IP, they can know it was authenticated for “anonymous@somewhere-else.eduâ€, and they need to ask to the security officer of somewhere-else.edu to get further details.


    Am Mo., 17. Juni 2024 um 17:02 Uhr schrieb Vincent Lefevre < vincent@vinc17.net>:

    Please do not top-post.

    Regards,

    --
    Nicolas George

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Vincent Lefevre on Mon Jun 17 21:30:01 2024
    Vincent Lefevre wrote:
    On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
    On stable:
    $ openssl list -disabled
    Disabled algorithms:
    IDEA
    MD2
    MDC2
    RC5
    SCTP
    SSL3
    ZLIB

    So, SSL3 support was removed at least that long ago. I think it
    was actually dropped around 2016.

    That's strange because when I installed the machine in October,
    there were no issues.

    Perhaps the change is not in your system but in theirs?

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Thu Jun 20 11:10:01 2024
    Am 20.06.2024 um 11:05:10 Uhr schrieb Vincent Lefevre:

    I've got a confirmation that their Radius servers still use SSL3,
    and they said that they could not upgrade them.

    Then they have very, very outdated stuff. Talk to the security
    department at your site, maybe they make them hurry up.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vincent Lefevre@21:1/5 to Dan Ritter on Thu Jun 20 11:10:01 2024
    On 2024-06-17 15:08:54 -0400, Dan Ritter wrote:
    Vincent Lefevre wrote:
    On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
    On stable:
    $ openssl list -disabled
    Disabled algorithms:
    IDEA
    MD2
    MDC2
    RC5
    SCTP
    SSL3
    ZLIB

    So, SSL3 support was removed at least that long ago. I think it
    was actually dropped around 2016.

    That's strange because when I installed the machine in October,
    there were no issues.

    Perhaps the change is not in your system but in theirs?

    I've got a confirmation that their Radius servers still use SSL3,
    and they said that they could not upgrade them.

    But perhaps the authentication is done differently when I connect
    locally (still using eduroam)?

    I could try again locally if need be.

    --
    Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
    100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
    Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From davenull@tuxfamily.org@21:1/5 to Vincent Lefevre on Fri Jun 21 14:10:01 2024
    Hello

    On 2024-06-17 16:14, Vincent Lefevre wrote:
    On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
    On stable:
    $ openssl list -disabled
    Disabled algorithms:
    IDEA
    MD2
    MDC2
    RC5
    SCTP
    SSL3
    ZLIB

    So, SSL3 support was removed at least that long ago. I think it
    was actually dropped around 2016.

    That's strange because when I installed the machine in October,
    there were no issues.

    SSL v3 has been deprecated years ago, and replaced by TLS. SSLv3 support
    in Debian has been
    dropped a while ago, like most OSes (except obsolete ones, from 2016 and before).

    Even TLS 1.0 and 1.1 should be avoided whenever possible.

    Maybe it worked because it used correct configuration/hardware/software.
    If it supports SSLv3 and not TLS, it's outdated software.

    The best thing you could do is to

    - try debian stable form live USB to check if it also tries to use SSLv3
    If it tries to use SSLv3 as well, chances are the authentification
    server only offers SSLv3 and is outdated
    If it doesn't and it connects using TLS (preferably v1.2 or 1.3), maybe
    there a bug in Unstable, which leads the client (Debian unstable) to try
    to use SSLv3 (erratically)
    - contact your UNi Eduroam support to see if changed anything since last October

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)