Instantly share code, notes, and snippets.
Save simonesestito/97d8cf8e05b7488083cedabcefd5d65c to your computer and use it in GitHub Desktop.
journalctl --boot --unit wpa_supplicant.service --follow
wpa_supplicant[888]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[888]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
That may indicate that the network you're trying to connect to, requires some very old protocols.If the missing one isTLSv1.0, the following command will make the network work again!
nmcli con mod id<YOUR_SSID> 802-1x.phase1-auth-flags 32
Make sure to replace<YOUR_SSID> with the actual SSID of the network which is affected by the previous error.As an example, in the specific case ofeduroam, the command will be:
nmcli con mod id eduroam 802-1x.phase1-auth-flags 32
- Add the following line in
/etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the[802-1x]section:
phase1-auth-flags=32
- Restart services
sudo systemctl restart NetworkManager.servicesudo systemctl restart wpa_supplicant.service
infinanis commentedNov 8, 2023
Is there some documentation regarding those 8021x auth flags? I've tried searching the internet but can't find anything.
simonesestito commentedNov 8, 2023
Is there some documentation regarding those 8021x auth flags?
I couldn't find anything either. The solution came from the Arch Linux forum
yrro commentedNov 10, 2023
FYI this should modify the connection without having to edit files/restart stuff:
$ nmcli con mod id <your connection name> 802-1x.phase1-auth-flags 32As for the meaning of32, this is0x20 hexadecimal which according tothe documentation corresponds totls-1-0-enable
i.e., it enables the dreadfully out of date TLSv1.0 protocol which is perhaps still required by EduRoam.
simonesestito commentedDec 7, 2023
@yrro Thanks a lot for your contribution, I've updated the gist
belamadar commentedNov 21, 2024
This fix doesn't seem to work on Fedora 41, producing these error messages:
wpa_supplicant[11996]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
fedora wpa_supplicant[11996]: EAP-MSCHAPV2: Failed to derive response
My fix was the following:
- Edit the OpenSSL configuration file (usually /etc/ssl/openssl.cnf) and enable legacy cryptographic algorithms:
[openssl_init]providers = provider_sect[provider_sect]default = default_sectlegacy = legacy_sect[legacy_sect]activate = 1- Restart services
sudo systemctl restart wpa_supplicant.service```yrro commentedNov 21, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
This fix doesn't seem to work on Fedora 41, producing these error messages:
wpa_supplicant[11996]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
fedora wpa_supplicant[11996]: EAP-MSCHAPV2: Failed to derive response
Likely that'sthis bug.
Be aware your workaround 'enables the legacy provider system-wide, which will enable legacy cryptographic algorithms in many more places' - downgradingpkcs11-provider (or modifying/etc/pki/tls/openssl.d/pkcs11-provider.conf as described by a couple of the comments in the bug) is a safer workaround until the bug is fixed.
belamadar commentedDec 10, 2024
Fedora providedan upgrade:
sudo dnf upgrade --refresh --advisory=FEDORA-2024-fbf9ccda7bNote this isnot a fix for the problem, we are still determining if we can fix it in openssl or if we'll have to make workarounds in pkcs11-provider or wpa_supplicant itself, however this works around the porblem for people that do not need to use pkcs11-provider for now.