Re: WPA Enterprise (EAP-TLS) system connection

From: Dan Williams <dcbw redhat com>
To: Rafał Lichwała <rafal siliconet pl>
Cc: networkmanager-list gnome org
Subject: Re: WPA Enterprise (EAP-TLS) system connection
Date: Fri, 05 Dec 2008 16:58:04 -0500

On Fri, 2008-12-05 at 14:25 +0100, Rafał Lichwała wrote:
> Hi,
> 
> Below some details and updates about EAP-TLS wired connection problems 
> in Network Manager.
> 
> I was looking into source code for a while and that's what I found:
> 
> When I fill in all the certs (client cert, CA cert, client key - all in 
> PEM format) and then click "Apply" I have the following in console for 
> the nm-connection-editor:
> 
> 
> #########################
> ** (nm-connection-editor:29948): WARNING **: Unhandled setting secret 
> type (write) '802-1x/private-key' : 'GArray_guchar_'
> 
> ** (nm-connection-editor:29948): WARNING **: Unhandled setting secret 
> type (write) '802-1x/phase2-private-key' : 'GArray_guchar_'
> 
> ** (nm-connection-editor:29948): WARNING **: 
> nma_gconf_connection_changed: Invalid connection 
> /system/networking/connections/4: 'NMSetting8021x' / 'client-cert' 
> invalid: 2
> #########################
> 
> And no connection settings are stored.
> 
> I've also checked that "nma_gconf_connection_changed" function is called 
> in that case (in 
> network-manager-applet/src/gconf-helpers/nma-gconf-connection.c) and 
> function fails on:
> 
> utils_fill_connection_certs (gconf_connection);
> 
> I've checked this "utils_fill_connection_certs" function (in 
> network-manager-applet/src/utils/utils.c)
> and it seems that getting file names for certificates entered by user in 
> dialogs does not work:
> 
> filename = g_object_get_data (G_OBJECT (connection), NMA_PATH_CA_CERT_TAG);
> 
> filename = g_object_get_data (G_OBJECT (connection), 
> NMA_PATH_CLIENT_CERT_TAG);
> 
> filename = g_object_get_data (G_OBJECT (connection), 
> NMA_PATH_PHASE2_CA_CERT_TAG);
> 
> filename = g_object_get_data (G_OBJECT (connection), 
> NMA_PATH_PHASE2_CLIENT_CERT_TAG);
> 
> All these "filename" variables are NULL there.
> The same in case I enter just client key in PKCS12 (in that case client 
> cert is disabled).

That's mostly the problem.  I fixed the issue in the applet svn this
morning.  We're planning on doing a 0.7.1 pretty soon which will contain
this fix.

Dan

> 
> I'm not sure if I understand the source codes well, but I hope it's just 
> some hint to fix the problem :)
> 
> Cheers,
> Rafal
> 
> 
> Rafał Lichwała wrote:
> > Sorry for the confusion...
> > Some dependency packages were missing... :/
> > I remembered about "apt-get build-dep network-manager", but forgot about 
> > "apt-get build-dep network-manager-applet" :/
> > 
> > I've installed them and network-manager-applet build is fine now! :)
> > 
> > So now I have NetworkManager svn4361 and network-manager-applet svn1053 
> > installed, running and ready to test :)
> > 
> > Unfortunately EAP-TLS for wired connections still does not work (which 
> > is the subject of this topic) :(
> > 
> > When I run nm-connection-editor in command line and try to create TLS 
> > wired connection I have the following error messages:
> > 
> > ################
> > ** (nm-connection-editor:6664): WARNING **: Invalid setting 802.1x 
> > Security: Invalid 802.1x security
> > 
> > ** (nm-connection-editor:6664): WARNING **: Unhandled setting secret 
> > type (write) '802-1x/private-key' : 'GArray_guchar_'
> > 
> > ** (nm-connection-editor:6664): WARNING **: Unhandled setting secret 
> > type (write) '802-1x/phase2-private-key' : 'GArray_guchar_'
> > 
> > ** (nm-connection-editor:6664): WARNING **: 
> > nma_gconf_connection_changed: Invalid connection 
> > /system/networking/connections/2: 'NMSetting8021x' / 'client-cert' 
> > invalid: 2
> > ################
> > 
> > All the certs (client cert, client key and CA cert) are in PEM format 
> > and stored in separate files.
> > 
> > Interesting thing is that after this try a connection file has been 
> > created in:
> > 
> > /etc/NetworkManager/system-connections/test
> > 
> > ("test" is a name of my test TLS wired connection).
> > and it seems to contain some valuable data.
> > But this connection settings are not visible in nm-connection-editor :(
> > There is only one (that was already there before my try) wired 
> > connection named "Ifupdown (eth0)" which cannot be modified (all the UI 
> > are disabled) and cannot be removed.
> > When I try to remove it I have "Removing connection failed: 
> > nm-settings.c.333 - Read-only connections may not be deleted.."
> > 
> > 
> > 
> > Could you please take a look at the problem of creating TLS wired 
> > connection? :)
> > 
> > Thanks!
> > 
> > Cheers,
> > Rafal
> > 
> > Rafał Lichwała wrote:
> >> Dan Williams wrote:
> >>> Compile error should be fixed in svn4361 on both trunk and 0.7 stable
> >>> branches.
> >>>   
> >>
> >> Thanks for this quick fix Dan! :)
> >> NetworkManager build is fine now.
> >>
> >> But network-manager-applet build is failing... :(
> >> So I'm still not able to build "nm-connection-editor" (which is a part 
> >> of network-manager-applet) to test against EAP-TLS connection setup.
> >>
> >> The build error is the following (network-manager-applet svn trunk 
> >> revision 1053):
> >>
> >> ###########
> >> if /bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H 
> >> -I. -I. -I../..  -I/usr/include/PolicyKit   -DPOLKIT_VERSION_MAJOR=0 
> >> -DPOLKIT_VERSION_MINOR=9 -DPOLKIT_VERSION_MICRO=0 
> >> -I/usr/include/PolicyKit -I/usr/include/dbus-1.0 
> >> -I/usr/lib/dbus-1.0/include   -DORBIT2=1 -pthread 
> >> -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include 
> >> -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include 
> >> -I/usr/include/NetworkManager -I/usr/include/libnm-glib 
> >> -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include 
> >> -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 
> >> -I/usr/include/pixman-1 -I/usr/include/freetype2 
> >> -I/usr/include/libpng12 -I/usr/include/libglade-2.0 
> >> -I/usr/include/libxml2 -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 
> >> -I/usr/include/gnome-keyring-1     -Wall -Werror -std=gnu89 -g -O2 
> >> -Wshadow -Wmissing-declarations -Wmissing-prototypes 
> >> -Wdeclaration-after-statement -Wfloat-equal -Wno-unused-parameter 
> >> -Wno-sign-compare -MT libpolkit_helpers_la-polkit-gnome-action.lo -MD 
> >> -MP -MF ".deps/libpolkit_helpers_la-polkit-gnome-action.Tpo" -c -o 
> >> libpolkit_helpers_la-polkit-gnome-action.lo `test -f 
> >> 'polkit-gnome-action.c' || echo './'`polkit-gnome-action.c; \
> >>    then mv -f ".deps/libpolkit_helpers_la-polkit-gnome-action.Tpo" 
> >> ".deps/libpolkit_helpers_la-polkit-gnome-action.Plo"; else rm -f 
> >> ".deps/libpolkit_helpers_la-polkit-gnome-action.Tpo"; exit 1; fi
> >> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I. -I../.. 
> >> -I/usr/include/PolicyKit -DPOLKIT_VERSION_MAJOR=0 
> >> -DPOLKIT_VERSION_MINOR=9 -DPOLKIT_VERSION_MICRO=0 
> >> -I/usr/include/PolicyKit -I/usr/include/dbus-1.0 
> >> -I/usr/lib/dbus-1.0/include -DORBIT2=1 -pthread 
> >> -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include 
> >> -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include 
> >> -I/usr/include/NetworkManager -I/usr/include/libnm-glib 
> >> -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include 
> >> -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 
> >> -I/usr/include/pixman-1 -I/usr/include/freetype2 
> >> -I/usr/include/libpng12 -I/usr/include/libglade-2.0 
> >> -I/usr/include/libxml2 -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 
> >> -I/usr/include/gnome-keyring-1 -Wall -Werror -std=gnu89 -g -O2 
> >> -Wshadow -Wmissing-declarations -Wmissing-prototypes 
> >> -Wdeclaration-after-statement -Wfloat-equal -Wno-unused-parameter 
> >> -Wno-sign-compare -MT libpolkit_helpers_la-polkit-gnome-action.lo -MD 
> >> -MP -MF .deps/libpolkit_helpers_la-polkit-gnome-action.Tpo -c 
> >> polkit-gnome-action.c  -fPIC -DPIC -o 
> >> .libs/libpolkit_helpers_la-polkit-gnome-action.o
> >> cc1: warnings being treated as errors
> >> polkit-gnome-action.c: In function ‘_compute_polkit_result_direct’:
> >> polkit-gnome-action.c:816: error: 
> >> ‘polkit_context_can_caller_do_action’ is deprecated (declared at 
> >> /usr/include/PolicyKit/polkit/polkit-context.h:173)
> >> polkit-gnome-action.c:827: error: 
> >> ‘polkit_context_can_caller_do_action’ is deprecated (declared at 
> >> /usr/include/PolicyKit/polkit/polkit-context.h:173)
> >> make[3]: *** [libpolkit_helpers_la-polkit-gnome-action.lo] Error 1
> >> ###########
> >>
> >>
> >> PolicyKit stuff in Ubuntu 8.10 is in version 0.9-1
> >>
> >> Is that possible to apply another quick fix to move the build forward? :)
> >>
> >> Thanks!
> >>
> >> Cheers,
> >> Rafal
> >>
> >>
> >>
> >> _______________________________________________
> >> NetworkManager-list mailing list
> >> NetworkManager-list gnome org
> >> http://mail.gnome.org/mailman/listinfo/networkmanager-list
> > 
> > 
> > _______________________________________________
> > NetworkManager-list mailing list
> > NetworkManager-list gnome org
> > http://mail.gnome.org/mailman/listinfo/networkmanager-list
> 
>

Follow-Ups:
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: Simon Geard

References:
- WPA Enterprise (EAP-TLS) system connection
  - From: John S. Skogtvedt
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: =?UTF-8?B?UmFmYcWCIExpY2h3YcWCYQ==?=
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: Dan Williams
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: =?UTF-8?B?UmFmYcWCIExpY2h3YcWCYQ==?=
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: =?UTF-8?B?UmFmYcWCIExpY2h3YcWCYQ==?=
- Re: WPA Enterprise (EAP-TLS) system connection
  - From: =?UTF-8?B?UmFmYcWCIExpY2h3YcWCYQ==?=

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]