Re: Bug#982548: wpasupplicant: Missing support for WPA-EAP-SUITE-B(-192)

To: "Jan Fuchs" <jf@simonwunderlich.de>, 982548@bugs.debian.org
Cc: debian-lts@lists.debian.org
Subject: Re: Bug#982548: wpasupplicant: Missing support for WPA-EAP-SUITE-B(-192)
From: "Andrej Shadura" <andrew@shadura.me>
Date: Fri, 12 Feb 2021 09:14:56 +0100
Message-id: <[🔎] e677d13c-2d7d-40d5-98e2-6a2f60933d96@www.fastmail.com>
In-reply-to: <015f501e8850fe470511d40c2ca9db3fc3c57ea7.camel@simonwunderlich.de>
References: <015f501e8850fe470511d40c2ca9db3fc3c57ea7.camel@simonwunderlich.de>

Control: tag -1 wontfix
Control: fixed -1 2:2.6-4

Hi,

On Thu, 11 Feb 2021, at 16:50, Jan Fuchs wrote:
> Package: wpasupplicant
> Version: 2:2.4-1
> Severity: normal
> Tags: patch
> 
> It was observed that Debian's wpa_supplicant is not able to connect to 
> connect to networks with key_mgmt WPA-EAP-SUITE-B and/or 
> WPA-EAP-SUITE-B-192 (aka WPA3-Enterprise 192-bit mode). The upstream 
> wpa_supplicant supports this since 2.4. Following is seen when trying 
> to load a config with this kind of configuration:

I’m afraid 2:2.4-1 is part of Debian Stretch, which is no longer supported. You can, however, install a newer version from stretch-backports, but I’d rather recommend you to upgrade to Buster; please be aware that Bullseye is likely going to be released later this year.

Alternatively, the Debian LTS project might consider enabling this even though it’s not technically in their scope, as this is not a security issue (cc'ed the LTS mailing list), but I’m personally not interested in supporting such an old version.

> 1613046731.169674: Line: 3 - start of a new network block
> 1613046731.169679: ssid - hexdump_ascii(len=11):
>      41 50 38 34 30 2d 57 50 41 32 33                  AP840-WPA23     
> 1613046731.169692: proto: 0x2
> 1613046731.169696: Line 9: invalid key_mgmt 'WPA-EAP-SUITE-B-192'
> 1613046731.169699: Line 9: no key_mgmt values configured.
> 1613046731.169701: key_mgmt: 0x0
> 1613046731.169704: Line 9: failed to parse key_mgmt 'WPA-EAP-SUITE-B-
> 192'.
> 1613046731.169708: ieee80211w=2 (0x2)
> 
> The used config was:
> 
> ctrl_interface=/run/wpa_supplicant
> ctrl_interface_group=root                      
> network={
>     ssid="AP840-WPA23"
>     scan_ssid=1
>     proto=RSN
>     key_mgmt=WPA-EAP-SUITE-B-192
>     ieee80211w=1
>     pairwise=GCMP-256
>     group=GCMP-256
>     group_mgmt=BIP-GMAC-256
>     eap=TLS
>     identity="anonymous"
>     ca_cert="/home/user/rsa3072-ca.crt"
>     client_cert="/home/user/rsa3072-user.crt"
>     private_key="/home/user/rsa3072-user.key"
>     private_key_passwd="wifi"
> }
> 
> The problem can be solved by adding following two lines to the files in
> debian/config/wpasupplicant/
> 
> CONFIG_SUITEB=y
> CONFIG_SUITEB192=y
> 
> This is also breaking the support for these kind of networks in
> network-manager.
> 
> -- 
> Jan Fuchs
> development engineer
>  
> Simon Wunderlich Systementwicklung & Beratung
> Herrenstr. 6, 08523 Plauen, VAT-ID: DE 279397655
> 
>

-- 
Cheers,
  Andrej

Reply to:

Follow-Ups:
- Re: Bug#982548: wpasupplicant: Missing support for WPA-EAP-SUITE-B(-192)
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: Re: Supporting unbound in stretch by upgrading to 1.9
Next by Date: unbound1.9_1.9.0-2+deb10u2~deb9u1_amd64.changes REJECTED
Previous by thread: Re: Support for insecure applications
Next by thread: Re: Bug#982548: wpasupplicant: Missing support for WPA-EAP-SUITE-B(-192)
Index(es):
- Date
- Thread