Home / ubuntu / Questions / 1406525
Accepted
Florian Echtler
Asked: 2022-05-05 02:30:24 +0800 CST

eduroam doesn't connect due to weak certificate signature digest

  • 772

Recently upgraded to Ubuntu 22.04, and had some issues activating my eduroam WiFi connection. Specifically, I got the following message in syslog:

Mai 04 11:42:11 sliver wpa_supplicant[687]: TLS: Certificate verification failed, error 68 (CA signature digest algorithm too weak) depth 0 for '/C=DK/ST=Denmark/O=Aalborg Universitet/OU=IT Services/CN=wifi.aau.dk'

Right now, I can only activate the eduroam connection when I do not use a certificate. Looking at it with openssl x509 ..., it seems the certificate is still using SHA-1.

Is this an issue to be fixed by the cert issuer (i.e. my university's IT ppl), or is it an issue with the update to 22.04?

networking

1 Answers

  1. Best Answer

    The issue here is because of Ubuntu following the OpenSSL 3 migration, and having a default security level of 2. The default security levels can be explained here (under "Default Callback Behavior") explaining what each level means in OpenSSL 3.0. Ubuntu uses the default level of 2 on the versions of OpenSSL it ships.

    As of Ubuntu 22.04 Jammy, OpenSSL uses the default security level of 2. In the OpenSSL 3.0 migration guide changes were made to the OpenSSL default of level 1 such that "X509 certificates signed using SHA1 are no longer allowed at security level 1 and above." Unfortunately, because SHA1 certificates are 'insecure' now, you have to drop your config down to the security level of 0 which lets everything be accepted. Which is insecure, but until your IT group updates the certs, you don't have much of a choice here.

    Per this answer, you should be able to adjust your configuration to use the older security defaults. I've adapted those instructions here.

    Edit your /etc/ssl/openssl.cnf file. At the beginning of the file, add this:

    openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=0

    Then reboot your system to make sure that the security levels are properly set, and test connecting. You should no longer have this issue. Be advised that this reduces the overall security of your system and may leave you open to vulnerabilities in older protocols and security ciphers in use on older sites or intentionally malicious sites.

    Ultimately, the IT group of your university needs to reissue the certificate with a SHA256 signature and apply it to the eduroam infrastructure on their end. The aforementioned approach to reduce the security defaults is not guaranteed to be secure since SHA1 signed certificates are considered deprecated now by SSL standards. You should remove the configuration that is done here as soon as the IT team updates their certificates.

    Alternatively dont use a cert with your eduroam connection in the interim.

    • 4