Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: wpa_supplicant
Labels:
- rn-yml

Fixed in Build:
wpa_supplicant-2.11-4.el10
Regression:
No
Severity:
Important
sprint_count:
3

AssignedTeam:
rhel-net-core-2
Sub-System Group:

ssg_networking

Dev Target Milestone:
12
Internal Target Milestone:
16
Story Points:
2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
NST-Core2-25W22, NST-Core2-25W26, NST-Core2-25W30

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/153589
Test Coverage:

Manual

Release Note Type:
Bug Fix
Release Note Text:

Hide
.Network authentication methods using PKCS #11 with `wpa_supplicant` has been fixed

In RHEL 10, engines that are not compatible with the Federal Information Processing Standard (FIPS), such as the OpenSSL engine API, have been removed. Consequently, the dependent `wpa_supplicant` service could not load X.509 certificates and keys stored in PKCS #11 URI format. This prevented any EAP-TLS authentication method and variants using PKCS #11 did not connect to the relevant network. To fix this problem, `wpa_supplicant` now depends on the `pkcs11-provider` package and uses the same-named library to load X.509 certificates and keys from a PKCS #11 storage. As a result, network authentication methods using PKCS #11 work as expected.

Show
.Network authentication methods using PKCS #11 with `wpa_supplicant` has been fixed In RHEL 10, engines that are not compatible with the Federal Information Processing Standard (FIPS), such as the OpenSSL engine API, have been removed. Consequently, the dependent `wpa_supplicant` service could not load X.509 certificates and keys stored in PKCS #11 URI format. This prevented any EAP-TLS authentication method and variants using PKCS #11 did not connect to the relevant network. To fix this problem, `wpa_supplicant` now depends on the `pkcs11-provider` package and uses the same-named library to load X.509 certificates and keys from a PKCS #11 storage. As a result, network authentication methods using PKCS #11 work as expected.
Release Note Status:
Done
ProdDocsReview-CCS:
Done
ProdDocsReview-Dev:
Done
ProdDocsReview-QE:
Not Required

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

see: https://patchwork.ozlabs.org/project/hostap/patch/45e5db9092233e35afd5acd77ca9d4de8f28c056.1736949709.git.davide.caratti@gmail.com/

blocks

RHEL-83390 use pkcs11-provider to resolve PKCS11 URIs in wpa_supplicant

Closed

links to

RHBA-2025:153589 wpa_supplicant update

Assignee:: Davide Caratti

Reporter:: Davide Caratti

Developer:: Davide Caratti

QA Contact:: Laura Trivelloni

Doc Contact:: Marc Muehlfeld

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/04/11 3:56 PM

Updated:: 2025/08/19 5:58 PM

Dev Target end:: 2025/05/19

Target end:: 2025/06/16

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates