Trouble connection to eduroam - openssl 1.1.0.e vs 1.0.2.l

Mauro Santos registo.mailling at gmail.com
Fri May 26 14:48:36 PDT 2017 

On 26-05-2017 22:30, Dan Williams wrote:
> Yeah, something is quite different with new OpenSSL.  But it looks like
> the old OpenSSL isn't even using TLS, so the good/bad aren't testing
> the same things.
> 
> BAD:
> 1495830003.390560: SSL: SSL_connect:before SSL initialization
> 1495830003.390631: OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
> 1495830003.390644: OpenSSL: Message - hexdump(len=5): [REMOVED]
> 1495830003.390657: OpenSSL: TX ver=0x301 content_type=22 (handshake/client hello)
> 1495830003.390663: OpenSSL: Message - hexdump(len=93): [REMOVED]
> 1495830003.390667: SSL: (where=0x1001 ret=0x1)
> 1495830003.390670: SSL: SSL_connect:SSLv3/TLS write client hello
> 1495830003.390677: SSL: (where=0x1002 ret=0xffffffff)
> 1495830003.390680: SSL: SSL_connect:error in SSLv3/TLS write client hello
> 1495830003.390690: SSL: SSL_connect - want more data
> 1495830003.390694: SSL: 98 bytes pending from ssl_out
> 1495830003.390701: SSL: 98 bytes left to be sent out (of total 98 bytes)
> 
> GOOD:
> 1495829825.798298: SSL: SSL_connect:before/connect initialization
> 1495829825.798356: OpenSSL: TX ver=0x301 content_type=256 (TLS header info/)
> 1495829825.798367: OpenSSL: Message - hexdump(len=5): [REMOVED]
> 1495829825.798373: OpenSSL: TX ver=0x301 content_type=22 (handshake/client hello)
> 1495829825.798378: OpenSSL: Message - hexdump(len=190): [REMOVED]
> 1495829825.798382: SSL: (where=0x1001 ret=0x1)
> 1495829825.798387: SSL: SSL_connect:SSLv2/v3 write client hello A
> 1495829825.798394: SSL: (where=0x1002 ret=0xffffffff)
> 1495829825.798399: SSL: SSL_connect:error in SSLv2/v3 read server hello A
> 1495829825.798414: SSL: SSL_connect - want more data
> 1495829825.798421: SSL: 195 bytes pending from ssl_out
> 1495829825.798436: SSL: 195 bytes left to be sent out (of total 195 bytes)

If you didn't point out that TLS was not being used I would not know.
Now I suppose the question is why with openssl 1.0 TLS is not being
used, while with openssl 1.1 it is being used and fails.

Is there any way I can tell wpa_supplicant to behave like with openssl
1.0? I have just tried adding tls_disable_tlsv1_0=1 to the list of
phase1 parameters/options but it doesn't seem to work, I see:

"OpenSSL: openssl_handshake - SSL_connect error:141640BF:SSL
routines:tls_construct_client_hello:no protocols available"

and authentication fails.

-- 
Mauro Santos

More information about the Hostap mailing list