Development of OpenSSL

Stephen Henson via RT | 8 Jun 2012 00:35

[openssl.org #2825] Bug: Unable to connect to WPA enterprise wireless

> [openssl-dev <at> openssl.org - Fri Jun 08 00:27:27 2012]:
> 
> This is almost identical to an issue we found with openssl 1.0.1b and
> Juniper SBR version v6.13.4949
> In our case we traced it to the heartbeat extension. When the
>    extension is
> sent in the ClientHello PEAP negotiation fails with fatal bad
>    certificate
> alert.
> By adding # define OPENSSL_NO_HEARTBEATS to opensslconf.h we disabled
>    the
> extension and PEAP negotiation is successful.
> 
> There really should be an API to disable this extension so that it can
>    be
> enabled in use cases where it is needed and disabled in use cases
>    where it
> breaks negotiation.
> 

That's rather strange behaviour, the presence of a (presumably
unsupported) extension causes a bad certificate alert? Is it just the
heartbeat extension that triggers this or would the presence of any
unknown extension cause a similar problem?

Steve.
--

-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

(Continue reading)

headers

Erik Tkal | 8 Jun 2012 15:17

RE: [openssl.org #2825] Bug: Unable to connect to WPA enterprise wireless

SBR uses OpenSSL 0.9.7e and has its own extension parsing code (0.9.7e base code just ignores anything
after the base ClientHello).  SBR only explicitly handles the SessionTicket extension (for EAP-FAST),
all others appear to be properly skipped, and SBR certainly knows nothing about the heartbeat extension.

For the case where SBR is failing it would be useful to see the data stream being sent.  I have built our Odyssey
Access Client with OpenSSL 1.0.1 and have not had this issue negotiating with SBR but maybe I did not
explicitly try PEAP.  Since this code in SBR has been present for several years and I know I've seen it ignore
other extensions, perhaps it is a client side issue that enabling the heartbeat extension is having some
other side effect?

BCCing Robert D, you can send me logs at etkal <at> juniper <dot> net if you like and I'll take a look.

  Erik

....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development



-----Original Message-----
From: owner-openssl-dev <at> openssl.org [mailto:owner-openssl-dev <at> openssl.org] On Behalf Of Stephen
Henson via RT
Sent: Thursday, June 07, 2012 6:35 PM
To: openssl-rt <at> trk.nickurak.ca
Cc: openssl-dev <at> openssl.org
Subject: [openssl.org #2825] Bug: Unable to connect to WPA enterprise wireless 

> [openssl-dev <at> openssl.org - Fri Jun 08 00:27:27 2012]:
>

(Continue reading)