Re: wpa_supplicant and GnuTLS

Re: wpa_supplicant and GnuTLS

[Howard Chu]

On the Always Innovating TouchBook I've found that the wpa_supplicant always 
fails on WPA-EAP authentication in its default package, built with GnuTLS. It 
works fine when I rebuild it using OpenSSL. It's surprising the number of 
packages in the distro that depend on GnuTLS. I think you should seriously 
reconsider relying on such a volatile library in your builds.

-------- Original Message --------
Subject: Re: wpa_supplicant
Date: Tue, 08 Sep 2009 00:02:43 -0700
From: Gregoire Gentil <gregoire@gentil.com>
Reply-To: gregoire@gentil.com
Organization: Gregoire Gentil
To: Howard Chu <hyc@symas.com>

I have no experience with gnutls vs. openssl and I didn't patch
anything. It's OE which is using gnutls and unfortunately, there is a
bunch of packages depending of gnutls :-(. I think that in the situation
you raise, it's really wpa-supplicant recipe that matters:
http://cgit.openembedded.net/cgit.cgi/openembedded/tree/recipes/wpa-supplicant

I can try to replace gnutls depends by openssl but I'm not an expert of
this, so I'm not sure of the result,

Grégoire


On Mon, 2009-09-07 at 23:19 -0700, Howard Chu wrote:
> Also, as I mentioned in bug #8, the wpa_supplicant built with GnuTLS doesn't
> work for me; it only works when built with OpenSSL. I suppose I should point
> out that GnuTLS doesn't exactly have a brilliant history in my experience.
>
> http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
>
> http://www.openldap.org/lists/openldap-bugs/200908/msg00080.html
> http://www.openldap.org/lists/openldap-bugs/200908/msg00084.html
> http://www.openldap.org/lists/openldap-bugs/200903/msg00049.html
> http://www.openldap.org/lists/openldap-bugs/200903/msg00050.html
> http://www.openldap.org/lists/openldap-bugs/200805/msg00094.html
> http://www.openldap.org/lists/openldap-bugs/200802/msg00080.html
>
> The software is immature and the coders behind the project have insufficient
> experience with programming, let alone security software programming. I
> strongly recommend sticking with OpenSSL and removing all GnuTLS dependencies
> from your distro.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: wpa_supplicant and GnuTLS

[Howard Chu]

Howard Chu wrote:
> On the Always Innovating TouchBook I've found that the wpa_supplicant always
> fails on WPA-EAP authentication in its default package, built with GnuTLS. It
> works fine when I rebuild it using OpenSSL. It's surprising the number of
> packages in the distro that depend on GnuTLS. I think you should seriously
> reconsider relying on such a volatile library in your builds.

Another note, looking at the diff of recipes/wpa-supplicant/files/defconfig 
and defconfig-0.6-gnutls

@@ -132,6 +95,10 @@
  # a file that usually has extension .p12 or .pfx)
  CONFIG_PKCS12=y

+# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
+# engine.
+CONFIG_SMARTCARD=y
+
  # PC/SC interface for smartcards (USIM, GSM SIM)
  # Enable this if EAP-SIM or EAP-AKA is included
  #CONFIG_PCSC=y

...

+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA)
+# none = Empty template
+CONFIG_TLS=gnutls
+

setting CONFIG_SMARTCARD is pointless since GnuTLS has no hardware engine 
support. (Or: using GnuTLS is pointless if you actually want smartcard support...)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: wpa_supplicant and GnuTLS

[Holger Hans Peter Freyther]

On Tuesday 08 September 2009 09:23:46 Howard Chu wrote:
> On the Always Innovating TouchBook I've found that the wpa_supplicant
> always fails on WPA-EAP authentication in its default package, built with
> GnuTLS. It works fine when I rebuild it using OpenSSL. It's surprising the
> number of packages in the distro that depend on GnuTLS. I think you should
> seriously reconsider relying on such a volatile library in your builds.

Thanks, do you note that there are at least two things to consider? OpenSSL is  
considered to not be GPL compatible. So people that want to distribute 
binaries or don't want to advertize Eric Young can use GnuTLS or no SSL at 
all..

Do you have any idea why wpa_supplicant is failing with GnuTLS? Is it in 
wpa_supplicant or GNUtls?

z.

Re: wpa_supplicant and GnuTLS

[Phil Blundell]

On Wed, 2009-09-09 at 09:32 +0200, Holger Hans Peter Freyther wrote:
> On Tuesday 08 September 2009 09:23:46 Howard Chu wrote:
> > On the Always Innovating TouchBook I've found that the wpa_supplicant
> > always fails on WPA-EAP authentication in its default package, built with
> > GnuTLS. It works fine when I rebuild it using OpenSSL. It's surprising the
> > number of packages in the distro that depend on GnuTLS. I think you should
> > seriously reconsider relying on such a volatile library in your builds.
> 
> Thanks, do you note that there are at least two things to consider? OpenSSL is  
> considered to not be GPL compatible. So people that want to distribute 
> binaries or don't want to advertize Eric Young can use GnuTLS or no SSL at 
> all..

Or yassl, I guess.  I haven't tried it myself, but in theory yassl is
meant to be approximately API-compatible with openssl so it might not be
too much of an upheaval to make wpa-supplicant work with it.

That aside, though, which SSL library to use is probably something that
ought to be a DISTRO choice rather than hard-wired.  Both OpenSSL and
GnuTLS clearly have their downsides and neither of them is going to be
suitable in all situations.

p.