Messages

1

24.7 Production Series / Re: 24.7 Upgrade from 24.1.10 broke my AT&T Fiber Bypass

« on: August 06, 2024, 08:59:17 pm »

This is the last time I start a major OS upgrade right before going to sleep. I was in the same boat that I've never had any other problems with updates, but this one broke my ATT bypass. I went back to the gateway until I could sort it out and was reminded why the bypass solution was so much better. I've been experiencing random connection dropouts and can't get IPv6 to work in IP pass through mode.

However, I believe I have found the solution! I ran wpa_supplicant in verbose mode and got some warnings related to TLS.

Code: [Select]

EAP: Received EAP-Request id=29 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
ngeth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
OpenSSL: tls_connection_client_cert - SSL_use_certificate_file failed error:0A00018E:SSL routines::ca md too weak
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
It seems like we must have gotten a OpenSSL update or a wpa_supplicant update that makes it now reject the certificates as insecure by default. My solution is to update the wpa_supplicant.conf to include openssl_ciphers=DEFAULT@SECLEVEL=0. That makes it get further in the process. It then says that it also needs allow_unsafe_renegotiation=1 in the phase1 config. With both of those changes, I am now back in business. My complete wpa_supplicant.conf looks like this:

Code: [Select]

eapol_version=1
ap_scan=0
fast_reauth=1
openssl_ciphers=DEFAULT@SECLEVEL=0
network={
        eap=TLS
        eapol_flags=0
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1 allow_unsafe_renegotiation=1"
}
I don't know if this is the best solution, but it is working for now.