New issue
Advanced search Search tips

Issue 640455 link

Starred by 3 users
Status: Archived
Owner: ----
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

WPA_Supplicant not following certificate chain of self-managed certificate authority

Reported by rcmcdona...@gmail.com, Aug 24 2016 
Chrome Version: 52.0.2743.116
Chrome OS Version: 8350.68.0
Chrome OS Platform: Samsung Chromebook 2 11" (Intel)
Network info: WPA2-Enterprise, 802.1x, EAP-PEAP

Please specify Cr-* of the system to which this bug/feature applies (add
the label below).

Steps To Reproduce:
(1) Deploy a self-managed, root CA (i.e. Active Directory Certificate Services or OpenSSL)
(2) Push self-managed, root CA to Chrome devices via Google Admin Console marked as a "Certificate Authority"
(3) Sign EAP-PEAP / RADIUS server using a server certificate signed by the self-managed, root CA from step 1.
(4) Attempt to connect to network while leaving "Server CA Certificate" field to "Default"
(5) Chrome OS will return "Authentication Rejected Locally"

Expected Result:

When importing a self-managed, root CA to Chrome devices, WPA_Supplicant should use these certificate authorities for verifying EAP server certificates.

Actual Result:

WPA_Supplicant does not utilize "pushed" certificate authorities for verifying the certificate chain of EAP server certificates.

How frequently does this problem reproduce? (Always, sometimes, hard to
reproduce?)

Always

What is the impact to the user, and is there a workaround? If so, what is
it?

Tell users to explicitly choose the certificate from the list or choose "Don't Check"

Please provide any additional information below. Attach a screen shot or
log if possible.

2016-08-21T13:40:51.927707-04:00 WARNING wpa_supplicant[500]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/CN=gr-dc-01.inside.graa.com'
2016-08-21T13:40:51.927716-04:00 NOTICE wpa_supplicant[500]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/CN=gr-dc-01.inside.graa.com' err='unable to get local issuer certificate'
2016-08-21T13:40:51.927725-04:00 DEBUG wpa_supplicant[500]: EAP: Status notification: remote certificate verification (param=unable to get local issuer certificate)
Screenshot 2016-08-21 at 1.37.23 PM.png
102 KB View Download
Screenshot 2016-08-21 at 1.33.57 PM (1).png
21.7 KB View Download

Comment 1 by dhadd...@chromium.org, Sep 7 2016

Components: Internals>Network

Comment 2 by davidben@chromium.org, Sep 7 2016

Components: -Internals>Network OS>Systems>Network
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 8 2017

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment