New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 910511 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
marcore@chromium.org
jayhlee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

WPA/WPA2 Enterprise (802.1X) PEAP not connecting "certificate is not yet valid"

Project Member Reported by marcore@chromium.org, Nov 30 
ChromeOS version: 70.0.3538.76
ChromeOS device model: Lenovo 100e Chromebook
Case#: 17505050

Description: the wpa_supplicant certificate verification is not redone after fixing the date with tlsdate


Steps to reproduce: 
1) the chromebook has the wrong date (in the past)
2) the chromebook tries to connect to a network with the certificate with a future date(now-1d)
3) the chromebook connect to an open network and fix the date with tlsdate
4) the chromebook  tries to connect to a network with the certificate 
Current Behavior / Reproduction: 

5) the chromebook is unable to connect 

Expected Behavior: 
5) the chromebook connects to the network

Drive link to logs: 
https://drive.google.com/open?id=1Y3bhVGjSO-u4fb8damDG-EI3xAaXJEOV
policy: https://drive.google.com/open?id=1cu4qcnX9_xsAUclirdYpSSy8FgiFCxq5
certificate: https://drive.google.com/open?id=1n6xxKWuM1Ha9CVmWu1vTlBq7tvs-ZnQg

what I've seen in the log:
-- tlsdate.1.log 
2018-10-02T08:13:18.118034-04:00 NOTICE tlsdate[2203]: SSL connection failed
...
2018-10-02T08:17:34.464186-04:00 NOTICE tlsdate[2203]: V: server time 1543499622 (difference is about -5016968 s) was fetched in 70 ms
2018-11-29T08:53:42.000378-05:00 INFO tlsdated[2202]: [event:handle_child_death] tlsdate reaped => pid:2891 uid:234 status:0 code:1
2018-11-29T08:53:42.000454-05:00 INFO tlsdated[2202]: [event:handle_time_setter] time set from the network (1543499622)

-- net.1.log
2018-10-02T08:14:12.288900-04:00 WARNING wpa_supplicant[574]: TLS: Certificate verification failed, error 9 (certificate is not yet valid) depth 0 for '/C=US/ST=XX/L=XXX/O=XXXXX Public Schools/CN=XXXXXX.us'
2018-10-02T08:14:12.288919-04:00 NOTICE wpa_supplicant[574]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=3 depth=0 subject='/C=US/ST=XX/L=XXXX/O=XXXX Public Schools/CN=XXXXXX.us' err='certificate is not yet valid'
...
2018-10-02T08:14:12.290344-04:00 INFO shill[740]: [INFO:service.cc(839)] Received certification for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA at depth 2
2018-10-02T08:14:12.290378-04:00 INFO shill[740]: [INFO:service.cc(839)] Received certification for /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA at depth 1
2018-10-02T08:14:12.290406-04:00 ERR shill[740]: [ERROR:supplicant_eap_state_handler.cc(64)] EAP: Unexpected remote certificate verification parameter: certificate is not yet valid
--
then the system doesn't retry the verification of the certificate

Comment 1 by marcuskoehler@chromium.org, Jan 15

Labels: Enterprise-Triaged

Sign in to add a comment