Skip to content

Instantly share code, notes, and snippets.

@simonesestito

simonesestito/README.md

Last active April 24, 2025 07:24
Show Gist options
  • Save simonesestito/97d8cf8e05b7488083cedabcefd5d65c to your computer and use it in GitHub Desktop.
Save simonesestito/97d8cf8e05b7488083cedabcefd5d65c to your computer and use it in GitHub Desktop.
Download ZIP
eduroam connection fix
Raw
README.md

Error

journalctl --boot --unit wpa_supplicant.service --follow

wpa_supplicant[888]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version

wpa_supplicant[888]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol

That may indicate that the network you're trying to connect to, requires some very old protocols. If the missing one is TLSv1.0, the following command will make the network work again!

Fix

Automatic fix (recommended)

nmcli con mod id <YOUR_SSID> 802-1x.phase1-auth-flags 32

Make sure to replace <YOUR_SSID> with the actual SSID of the network which is affected by the previous error. As an example, in the specific case of eduroam, the command will be:

nmcli con mod id eduroam 802-1x.phase1-auth-flags 32
Big thanks to @yrro for the easy-to-use command and the explanation

Manual editing

  1. Add the following line in /etc/NetworkManager/system-connections/YOUR_NETWORK_NAME.nmconnection, under the [802-1x] section:

phase1-auth-flags=32

  1. Restart services
sudo systemctl restart NetworkManager.service
sudo systemctl restart wpa_supplicant.service
@yrro
Copy link

yrro commented Nov 10, 2023

FYI this should modify the connection without having to edit files/restart stuff:

$ nmcli con mod id <your connection name> 802-1x.phase1-auth-flags 32

As for the meaning of 32, this is 0x20 hexadecimal which according to the documentation corresponds to tls-1-0-enable

i.e., it enables the dreadfully out of date TLSv1.0 protocol which is perhaps still required by EduRoam.

@simonesestito
Copy link
Author

@yrro Thanks a lot for your contribution, I've updated the gist

@belamadar
Copy link

This fix doesn't seem to work on Fedora 41, producing these error messages:

wpa_supplicant[11996]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
fedora wpa_supplicant[11996]: EAP-MSCHAPV2: Failed to derive response

My fix was the following:

  1. Edit the OpenSSL configuration file (usually /etc/ssl/openssl.cnf) and enable legacy cryptographic algorithms:
[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[legacy_sect]
activate = 1
  1. Restart services
sudo systemctl restart wpa_supplicant.service```

@yrro
Copy link

yrro commented Nov 21, 2024
edited
Loading

This fix doesn't seem to work on Fedora 41, producing these error messages:

wpa_supplicant[11996]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
fedora wpa_supplicant[11996]: EAP-MSCHAPV2: Failed to derive response

Likely that's this bug.

Be aware your workaround 'enables the legacy provider system-wide, which will enable legacy cryptographic algorithms in many more places' - downgrading pkcs11-provider (or modifying /etc/pki/tls/openssl.d/pkcs11-provider.conf as described by a couple of the comments in the bug) is a safer workaround until the bug is fixed.

@belamadar
Copy link

Fedora provided an upgrade:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-fbf9ccda7b

Note this is not a fix for the problem, we are still determining if we can fix it in openssl or if we'll have to make workarounds in pkcs11-provider or wpa_supplicant itself, however this works around the porblem for people that do not need to use pkcs11-provider for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment