Closed madman9999 closed 4 years ago
dkosovic
commented
4 years ago Should be fixed with commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/8582a47d1041b87ed4bc250e3fd47a95296109b1
Thanks. I'll probably release a new NetworkManager-l2tp 1.8.2 on the weekend (note: NetworkManager convention is that odd numbers are developer releases, even are stable, I don't bother with developer releases so there won't be a 1.8.1). But let me know if the connection now works?
Cheers, Doug
madman9999
commented
4 years ago The file is now correct, but I see this:
Feb 18 23:34:57 soeren-virtual-machine pppd[14080]: EAP-TLS: Cannot use private key /home/soeren/certificate/macbook.p12 Feb 18 23:34:57 soeren-virtual-machine pppd[14080]: EAP: peer reports authentication failure
Do you know, why it shows the .p12 file?
madman9999
commented
4 years ago This is the a p12 file without password, another error:
Feb 18 23:42:00 soeren-virtual-machine NetworkManager[695]:
[1582065720.5748] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0) Feb 18 23:42:00 soeren-virtual-machine NetworkManager[695]: [1582065720.5751] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found. Feb 18 23:42:00 soeren-virtual-machine pppd[16968]: Unable to obtain EAP-TLS password for soeren-virtual-machine (/var/run/nm-l2tp-374573b5-c283-46c1-b3dc-40d1054cd6c6/key.pem) from plugin Feb 18 23:42:00 soeren-virtual-machine pppd[16968]: EAP-TLS: Cannot get secret/password for client "soeren-virtual-machine", server "" Feb 18 23:42:00 soeren-virtual-machine pppd[16968]: EAP: peer reports authentication failure
dkosovic
commented
4 years ago Commit # https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5d7fad87b2534bd666a51dbea14b8800dfbcff54 should fix the Unable to obtain EAP-TLS password issue. But I haven't had a successful authentication as I'm getting the following error:
sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]Not sure yet if I misconfigured the L2TP server, or if it is a different client bug.
dkosovic
commented
4 years ago I believe i know why it still shows the .p12 file, the following line in the password handling is the culprit: https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/src/nm-l2tp-service.c#L1543
I'll spend a bit of time over the weekend and try and fix this issue and a number of other issues that I believe could happen.
madman9999
commented
4 years ago Great, thank you :)
dkosovic
commented
4 years ago I had absolutely no luck in getting a L2TP server working with user certificates, so haven't been able to fix issues by testing.
But I believe with commit # https://github.com/nm-l2tp/NetworkManager-l2tp/commit/3c4b8a183d2ad91aa97cf82caceeba6279bd1ac7 it should fix the issue of the wrong private key file being used at runtime if a PKCS#12 user certificate is supplied.
dkosovic
commented
4 years ago I finally managed to confirm the user certificate support is working with PEM, DER and PKCS#12 certificates and with password or without a certificate/key password.
Turns our the EAP-TLS patch for pppd doesn't support TLS 1.3 (e.g. when openssl 1.1.1 is used on both the client and server ends), so I was getting the following errors and then subsequently authentication fails:
Mar 20 07:39:00 pppd[4647]: SSL message contains unknown content type: 257
Mar 20 07:39:00 pppd[4647]: Handshake: Unknown SSL3 code received: 8
Mar 20 07:39:00 pppd[4647]: <- SSL/TLS Header: TLS 1.2
Mar 20 07:39:00 pppd[4647]: SSL message contains unknown content type: 257
Mar 20 07:39:00 pppd[4647]: <- Handshake: Certificate Request
Mar 20 07:39:00 pppd[4647]: <- SSL/TLS Header: TLS 1.2As a workaround, I ended up rebuilding openssl with the no-tls1_3 configure switch on the server side so TLS 1.3 wouldn't be attempted. I will report the issue to the EAP-TLS patch maintainer.
The file gets generated like this, but the CA entry is wrong.
It should look like this:
Thanks
Regards, Sören