Bug 327 - Connectivity wizard and certificate selection
: Connectivity wizard and certificate selection
Status: RESOLVED DUPLICATE of bug 417
Product: Connectivity
WiFi
: 4.1.2 (4.2008.36-5)
: All All
: Medium normal with 5 votes (vote)
: ---
Assigned To: unassigned
: wifi-bugs
:
: moreinfo
:
:
  Show dependency tree
 
Reported: 2005-12-06 19:03 UTC by Javier Marcos
Modified: 2010-05-25 16:06 UTC (History)
13 users (show)

See Also:


Attachments
sample certificate file (2.21 KB, application/x-x509-ca-cert)
2006-08-03 17:53 UTC, Maemo QA (deprecated)
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description Javier Marcos (reporter) 2005-12-06 19:03:30 UTC
When I try to configure a wifi connection, in this case WPA EAP (PEAP and
MSCHAPv2) the Wifi wizard doesn't let me select any certificate needed to the
connection and I tried to select the required certificate as default to all the
WLAN connections but it doesn't work. I thougnt that it was the bug #192 (which
is resolved) but I already installed the release 2005.45.8 and It's the same. Is
there any way to select the certificate manually?
Thanks a lot and I hope this will be helpfully.

Javier Marcos.
javier_marcos@telefonica.net

PD: Sorry my bad english.
Comment 1 Patrik Flykt nokia 2005-12-12 10:02:09 UTC
Go to Control Panel -> Connectivity -> Connections and edit your WPA EAP WLAN.
On the fourth page you can set the certificate. If you have installed
certificates for WPA EAP, but they don't appear on the list, go to Control Panel
-> Certificate manager and check the trust settings for the certificate. Select
View -> Trust to enable the certificate to be used by WLAN.

Is the problem related to the method you used to connect to the network, i.e.
did you connect to the WLAN  network from the 'Select connection' dialog?
Comment 2 Javier Marcos (reporter) 2005-12-13 21:18:04 UTC
In the Control Panel -> Connectivity -> Connections, editing my WPA EAP
connection I can't set the right certificate (at the fourth page) and the combo
shows 'None' all the time, and I have checked the option 'use the certificate by
WLAN' in the trust settings. So the connection gives me an 'Connect Error' when
I try to connect.
I use the 'Connect' dialog and next scan for available networks.
Comment 3 Patrik Flykt nokia 2005-12-14 09:22:27 UTC
I think only the 'User certificates' are the ones that can be selected from the
WLAN connectivity settings. I have to check with the developer(s) wheter you'll
need the WLAN trust settings enabled also for the certificate authority.
Comment 4 Patrik Flykt nokia 2006-01-25 09:45:03 UTC
Does it help if you enable WLAN trust settings for both the user certificate
and
the corresponding CA?
Comment 5 Derrick 2006-02-23 21:35:58 UTC
(In reply to comment #4)
> Does it help if you enable WLAN trust settings for both the user certificate and
> the corresponding CA?

I have confirmed similiar behaviour even with WLAN trust settings for both the
user cert and CA.  The interesting part is that after importing a user cert it
initially shows up under the "User" tab but after closing the certificate
manager it get's moved to "Authorities".  This is under 3.2005.51-13.

Derrick
Comment 6 Derrick 2006-02-23 21:37:31 UTC
(In reply to comment #4)
> Does it help if you enable WLAN trust settings for both the user certificate and
> the corresponding CA?

I have confirmed similiar behaviour even with WLAN trust settings for both the
user cert and CA.  The interesting part is that after importing a user cert it
initially shows up under the "User" tab but after closing the certificate
manager and re-opening it it get's moved to "Authorities".  This is under
3.2005.51-13.

Derrick
Comment 7 Andriy Tymchenko 2006-04-04 15:58:31 UTC
would you please to submit certificates which create this problem?

if your certificates contain some secret (e.g. password), could you create new
ones, verify that problem still exists, and submit new ones instead?

Thank you
Comment 8 Maemo QA (deprecated) 2006-05-03 14:56:40 UTC
Claiming ownership.
Comment 9 Maemo QA (deprecated) 2006-05-03 14:59:51 UTC
Javier, or Derrick, could you please submit certificates for testing purposes
so
that we can continue investigating this issue?
Comment 10 Javier Marcos (reporter) 2006-06-07 12:52:26 UTC
(In reply to comment #9)
> Javier, or Derrick, could you please submit certificates for testing purposes so
> that we can continue investigating this issue?

The WLAN tests which I have made with the 770 I have used the next certificate:
http://wifi.ist.utl.pt/configuracoes/cacert.crt
Because I have found this issue trying to connect to my university wireless
network. I hope this will help or something.
Sorry for the time without answer.
Best regards, Javier.
Comment 11 Maemo QA (deprecated) 2006-08-03 16:56:55 UTC
Re-assign
Comment 12 Maemo QA (deprecated) 2006-08-03 17:52:21 UTC
(In reply to comment #10)
> The WLAN tests which I have made with the 770 I have used the next certificate:
> http://wifi.ist.utl.pt/configuracoes/cacert.crt
> Because I have found this issue trying to connect to my university wireless
> network. I hope this will help or something.

Thank you for the file and sorry for the delay.
Before forwarding this problem, I'd need to know if this problem is still taking
place with the final IT 2006 firmware?
Comment 13 Maemo QA (deprecated) 2006-08-03 17:53:20 UTC
Created an attachment (id=102) [details]
sample certificate file

sample certificate file from http://wifi.ist.utl.pt/configuracoes/cacert.crt in
case it won't be available later
Comment 14 Javier Marcos (reporter) 2006-08-07 21:38:06 UTC
Yes, the problem continue in the IT2006 firmware version of the Internet
Table... Checked with the same certificate and Wireless Connection.
Comment 15 Nicolas Bareil 2006-09-12 19:16:34 UTC
(In reply to comment #14)
> Yes, the problem continue in the IT2006 firmware version of the Internet
> Table... Checked with the same certificate and Wireless Connection.

I have the same problem with the last version of the firmware, it's impossible
to connect to WPA-EAP network because the certificate doesn't show up in the
selection box.

An example of certificate is available at http://resel.fr/ca.pem, I successfully
imported it and ticked the "Trust WLAN" box...
Comment 16 Aapo Makela nokia 2006-09-13 12:57:55 UTC
(In reply to comment #15)
> I have the same problem with the last version of the firmware, it's impossible
> to connect to WPA-EAP network because the certificate doesn't show up in the
> selection box.
> 
> An example of certificate is available at http://resel.fr/ca.pem, I successfully
> imported it and ticked the "Trust WLAN" box...

The certificate in http://resel.fr/ca.pem seems to be a CA certificate without
an attached private key.

The certificate selection in question requires an user certificate with private
key, so only those certificates show up. You can't select there a CA
certificate. Instead, you can install required CA certificate, mark it as WLAN
trusted, and it will be used automatically for authenticating the server (on 770
side).

This certificate selection is only used, if authentication server requires user
certificate and it's private key for authenticating the user. If user
certificate is not selected, then 770 tries to connect to the server without any
user certificate.

I hope this helps.
Comment 17 timeless 2006-11-21 18:57:36 UTC
derrick_karpo@intuit.com: did your certificate include the private key? (I'm
not
sure if the certificate viewer gives a hint about that, I'll try to check
later)
Comment 18 Oliver Pahl 2007-01-08 15:26:14 UTC
This Bug still persists in the newest FW Version. I can import my cer File into
the certificate Manager, but it doesnt accept it as user Certificate. So i
cannot select it in the Connection dialog. But in our School the RootCA is also
used as User CA. I also tried setting the EAP_TLS_PEAP_client_certificate_file
GConf setting to my Cert. But this also doesnt work. Are there any known Fixes yet?
Comment 19 Jakub Pavelek nokia 2007-01-11 12:50:46 UTC
(In reply to comment #18)
> This Bug still persists in the newest FW Version. I can import my cer File into
> the certificate Manager, but it doesnt accept it as user Certificate. So i
> cannot select it in the Connection dialog. But in our School the RootCA is also
> used as User CA. I also tried setting the EAP_TLS_PEAP_client_certificate_file
> GConf setting to my Cert. But this also doesnt work. Are there any known Fixes
yet?

Is there anything to fix actually? It seems that the cerificate is not user
certificate and therefore it won't show for user authentication. 

I do not see any simple hack around this.
Comment 20 Oliver Pahl 2007-01-13 15:05:00 UTC
A possible fix would be, to allow selection of all self-imported certificate
files in the network connection dialog. Because some schools (all in austria :)
) are using the ca-root method method.

Greetz

Oli
Comment 21 hephaestus 2007-07-17 02:39:24 UTC
I also am experencing this problem. It appears that the gui connection manager
isnt writing out the correct %gconf.xml file used to connecton to the network.
I do not know what the arguments are to add my own user cert. What would be
helpfull was if we all could get a copy of a working %gconf.xml with a user pem
and ca file in it. that would give everyone a chance to reverse engineer there
respective network setups.
Comment 22 Jakub Pavelek nokia 2007-07-17 09:58:02 UTC
(In reply to comment #21)
> I also am experencing this problem. It appears that the gui connection manager
> isnt writing out the correct %gconf.xml file used to connecton to the network.
> I do not know what the arguments are to add my own user cert. What would be
> helpfull was if we all could get a copy of a working %gconf.xml with a user pem
> and ca file in it. that would give everyone a chance to reverse engineer there
> respective network setups.
> 

There is a huge chunk of documentation here:
http://maemo.org/development/documentation/how-tos/3-x/howto_certificate_storage_bora.html

Currently there are no plans change the UI.
Comment 23 hephaestus 2007-07-26 02:57:20 UTC
i have gotten as far as manually writing out a gconf file for my network. i
have not yet been able to read /usr/share/certs/certman.cst to see how my user
cert is named. In fact if i could open and edit that file there would be the
opportunity ro re classify the mis classified user certificate. Is there a way
to do this in the 770 or in the scratchbox environment? 

(In reply to comment #22)
> (In reply to comment #21)
> > I also am experencing this problem. It appears that the gui connection manager
> > isnt writing out the correct %gconf.xml file used to connecton to the network.
> > I do not know what the arguments are to add my own user cert. What would be
> > helpfull was if we all could get a copy of a working %gconf.xml with a user pem
> > and ca file in it. that would give everyone a chance to reverse engineer there
> > respective network setups.
> > 
> 
> There is a huge chunk of documentation here:
> http://maemo.org/development/documentation/how-tos/3-x/howto_certificate_storage_bora.html
> 
> Currently there are no plans change the UI.
>
Comment 24 Aapo Makela nokia 2007-11-26 13:45:20 UTC
(In reply to comment #18)
> This Bug still persists in the newest FW Version. I can import my cer File into
> the certificate Manager, but it doesnt accept it as user Certificate. So i
> cannot select it in the Connection dialog. But in our School the RootCA is also
> used as User CA. I also tried setting the EAP_TLS_PEAP_client_certificate_file
> GConf setting to my Cert. But this also doesnt work. Are there any known Fixes yet?

Software should automatically use all installed and trusted Root CAs for
validating certificates received from the network. Thus there should not be any
need for selecting Root CA from the mentioned drop down menu. 

The menu is used only for specifying a user certificate with private key. This
kind of certificate is required by some networks in addition to CA certificate
validating the certificate provided by the network. IIRC, this user certificate
is sent to server for validation and not used to validate certificates received
from the server (i.e. it is used by the network to identify the user). Is the
attached certificate meant to be this kind of certificate?

Also IIRC, pre OS2008 releases have trust settings disabled for all shipped
RootCAs. RootCA validation requires that all certificates in the certificate
chain have WLAN trust enabled. Please ensure that all required certificates
have the WLAN trust setting enabled in the certificate manager.

The error described in comment #2 ('Connect Error') does not sound like a
certificate or any security related problem (unless it also shows
"authentication failed" or something similar). Are you still seeing this same
error?

I hope this information helps.
Comment 25 Trampas Kirk 2007-12-11 22:08:04 UTC
(In reply to comment #24)
> 
> Software should automatically use all installed and trusted Root CAs for
> validating certificates received from the network. Thus there should not be any
> need for selecting Root CA from the mentioned drop down menu. 
> 
> The menu is used only for specifying a user certificate with private key. This
> kind of certificate is required by some networks in addition to CA certificate
> validating the certificate provided by the network. IIRC, this user certificate
> is sent to server for validation and not used to validate certificates received
> from the server (i.e. it is used by the network to identify the user). Is the
> attached certificate meant to be this kind of certificate?
> 
> Also IIRC, pre OS2008 releases have trust settings disabled for all shipped
> RootCAs. RootCA validation requires that all certificates in the certificate
> chain have WLAN trust enabled. Please ensure that all required certificates
> have the WLAN trust setting enabled in the certificate manager.
> 
> The error described in comment #2 ('Connect Error') does not sound like a
> certificate or any security related problem (unless it also shows
> "authentication failed" or something similar). Are you still seeing this same
> error?
> 
> I hope this information helps.
> 

I have an N810 with Q2008 OS, and I seem to be experiencing the same problem.

I suspect the certificate I have is a personal certificate (it contains my full
name, which was not something I entered when I requested the certificate from
our certification server), yet it still does not appear in the certificate
selection menu.

Connection settings:
WPA EAP PEAP MSCHAPv2

The error I get is, "Authentication failed."  I'm never prompted for a username
and password despite not having them saved.  It appears to be, that since the
proper certificate is not being used, that I'm not even given the opportunity
to log in (hence the authentication failure).

I wish I could attach the certificate, but I think that would get me in trouble
here at work.

I have even tried what was suggested in this post:
http://www.internettablettalk.com/forums/showpost.php?p=61755&postcount=6 to no
avail.

The certificate seems to be personal, I enabled all three trust options, tried
those settings and it still failed.

How do I tell if it's a personal certificate with (or without) a private key?
Comment 26 technut 2007-12-15 07:42:12 UTC
The certificate attached to this bug report (sample certificate file) appears
to be a root certificate and is therefore not particularly helpful in testing.

I have created a personal/user certificate and instructions for how to import
it, here:
http://www.internettablettalk.com/forums/showthread.php?p=108882#post108882
This will allow users to test whether or not they can get a sample personal
certificate properly installed into the User tab in Certificate Manager.
Comment 27 João Pedro Santos de Sousa 2008-02-07 12:06:44 UTC
HARDWARE/SOFTWARE VERSION: N810 - OS2008 (2.2007.50-2)

INTRODUCTION: The eduroam program is an worldwide educational wireless roaming
iniciative that combines the wireless connections available at univerties and
educational institutions troughout the world, currently all over europe and
also asia, on a huge roaming network. As an example a student or investigator
from an university of Portugal may use the wireless connection while visiting
an university in Finland, and vice-versa. 

Tipically this wireless connections rely on WPA-TKIP-EAP-PEAP-MASCHAPv2 or
WPA-TKIP-EAP-TTLS-PAP. More info at http://www.eduroam.org.

So you see this has an huge user impact as all university users (students,
investigators and professores) require this type of corporate connection to
work, study and roam within academic institutions.

I currently work at the Comunications and Informatics Center at the University
of Aveiro, Portugal. We can connect several systems, either desktops or mobile
devices, Windows XP/Vista, Linux, MacOSX, WindowsMobile/PPC or Symbian.

STEPS TO REPRODUCE THE PROBLEM:

We use an WPA-TKIP-EAP-PEAP-MASCHAPv2 connection, based on Cisco Access Points
and MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) with named user authentication.

Requirements:

SSID: eduroam
SSID hidden?: no
Network Authentication: WPA
Data encryption: TKIP
EAP Type: PEAP
Trust Root Certification Authority: GTE Cyber Trust Global Root
Authentication Protocol: MS-CHAPv2

Username: xxxxxx@ua.pt
Password: xxxxxxx

Searching for available networks and connecting to the eduroam network will
result on an user prompt. Entering the user/password will result on an
"Authentication Failed" error. Looking at our RADIUS logs we get:

User NqZFzn2N7Q7$xToGa3uDmm was denied access.
Fully-Qualified-User-Name = <undetermined>
...

The username is completely garbled and fails.

If we first setup the eduroam connection using the Connection Manager Wizard
and then search and connect we simply get an "Authentication Failed" error and
nothing even gets to the RADIUS service. I've tried several setup options, no
username, no password, manual user name, always the same result.

REPRODUCIBILITY: always

Please help, this seems to be an old issue since 2005 OS versions still
unresolved, it has an huge user impact, no users (student or otherwise) can
connect to their universities wireless networks.

This seems to be a problem with the wireless client, like the 802.1x/EAP
comunication isn't properly handled. I've checked the following bugs reported,
but no working solution was provided:

https://bugs.maemo.org/show_bug.cgi?id=417
https://bugs.maemo.org/show_bug.cgi?id=1017
https://bugs.maemo.org/show_bug.cgi?id=1635

Thank you.
Comment 28 João Pedro Santos de Sousa 2008-02-21 16:32:46 UTC
My above report still aplies to OS2008 (2.2007.51-3) on N810, unfortunally.
Comment 29 timeless 2008-10-08 12:01:14 UTC
the certificate handling code is being rewritten for fremantle by the
networking team, i believe that their impetus was probably this bug.

as a warning, we intend to remove the certificate manager ui (from contract
panel). you should probably still be able to select which root to use or
possibly which certificate for the wifi network connection, however i'm not
involved in that so i'm not sure about that portion.

note that these are merely my current understanding of another group's work
within Maemo Software, and I'm on vacation at this time, so my information
could be wrong.

comment 27 seems to outline a correctly designed wifi network; andre: could you
possibly find some way to make sure this is tested?
Comment 30 Andre Klapper maemo.org 2008-10-14 15:37:05 UTC
(In reply to comment #29)
> comment 27 seems to outline a correctly designed wifi network; andre: could you
> possibly find some way to make sure this is tested?

Well, it's covered by bug 417 and I've been in contact with the wifi developers
about bug 417 and bug 1017.
Comment 31 johndoe32102002 2008-12-03 19:40:52 UTC
(In reply to comment #15)
> (In reply to comment #14)
> > Yes, the problem continue in the IT2006 firmware version of the Internet
> > Table... Checked with the same certificate and Wireless Connection.
> 
> I have the same problem with the last version of the firmware, it's impossible
> to connect to WPA-EAP network because the certificate doesn't show up in the
> selection box.
> 
> An example of certificate is available at http://resel.fr/ca.pem, I successfully
> imported it and ticked the "Trust WLAN" box...

I have found the same bug to be true in the latest OS2008 firmware.  I don't
know why this bug is just Medium insteas of High?
Comment 32 Quim Gil nokia 2009-01-17 00:40:56 UTC
So is this a genuine bug or a consquence of not supporting 

Bug 417 : WEP with 802.1x EAP PEAP

or 

Bug 1635 : Eduroam (EAP-TTLS+PAP) WiFi auth

?
Comment 33 johndoe32102002 2009-01-18 02:44:30 UTC
This is a consequence of the software not supporting EAP PEAP but the hardware
fully supporting this encoding.  In addition, these networks are becoming much
more common than they were when the N810 was released.  Anything
network-connectivity should be a higher priority than most other bugs but lower
than major blocks to software.
Comment 34 timeless 2009-01-18 15:46:11 UTC

*** This bug has been marked as a duplicate of bug 417 ***