Can't connec to PEAP anymore on current Ubuntu (2.10 built with openssl3)

James Ralston ralston at pobox.com
Wed Jul 20 11:34:52 PDT 2022 

Hi Jouni,

On Sat, May 7, 2022 at 1:50 PM Jouni Malinen <j at w1.fi> wrote:

> On Thu, May 05, 2022 at 08:56:18AM +0200, Alan DeKok wrote:
>
> > On May 4, 2022, at 6:16 PM, Jouni Malinen <j at w1.fi> wrote:
> >
> > > I'll probably add at least this into wpa_supplicant with a clear
> > > event message identifying this specific issue to upper layers
> > > and a network-specific configuration parameter for enabling the
> > > workaround (and a suitable set of warnings to recommend against
> > > using this workaround in cases where the user care about real
> > > security..).
> >
> > That seems best.  This should likely not be enabled by default,
> > and maybe even require special build options.
>
> This parameter is now available to (re-)enable the workaround in
> OpenSSL 3.0 (phase1="allow_unsafe_renegotiation=1"):
> https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e
>
> And upper layer components can use this notification to get a clear
> indication when this workaround would be needed:
> https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853

Would you be willing to accept a patch to change the name of this
option from:

    allow_unsafe_renegotiation

to:

    allow_legacy_server_connect

?

Per OpenSSL (1), there are two options related to RFC5746 (2)
checking:

SSL_OP_LEGACY_SERVER_CONNECT:

    Permit OpenSSL clients to connect to TLS servers that do not
    indicate support for RFC5746 secure renegotiation in the initial
    TLS handshake.

    This is the only behavior enabled by this option.  In particular,
    both OpenSSL clients and servers will continue to reject
    renegotiation attempts from a client/server that did not indicate
    support for RFC5746 secure renegotiation during the initial TLS
    handshake.

SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION:

    Ignore all lack of RFC5746 secure renegotiation support in either
    a client or server context.

    Not only does this permit OpenSSL clients to connect to TLS
    servers that do not indicate support for RFC5746 secure
    renegotiation during the initial TLS handshake, but it
    additionally means that both OpenSSL clients and servers will
    always permit renegotiation, even if the client/server did not
    indicate support for RFC5746 secure renegotiation during the
    initial TLS handshake.

    This option is *dangerous*, and should almost never be enabled,
    because it makes OpenSSL server instances vulnerable to the
    man-in-the-middle attack described in RFC5746.

For those familiar with OpenSSL, naming the wpa_supplicant option
“allow_unsafe_renegotiation” gives the impression that it is enabling
the dangerous SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option under
the hood.  But it isn’t; it is setting SSL_OP_LEGACY_SERVER_CONNECT:

    #ifdef SSL_OP_LEGACY_SERVER_CONNECT
           if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
                   SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
    #endif /* SSL_OP_LEGACY_SERVER_CONNECT */

This is really, really confusing, and it is causing consternation for
the NetworkManager folks (3) (4), because they now have two choices,
both unpalatable:

1.  Name the NetworkManager option “allow unsafe renegotiation” in
    order to match what wpa_supplicant calls the option, despite the
    fact that it makes it seem like this will set
    SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.

2.  Name the NetworkManager option “allow_legacy_server_connect” to
    correctly reflect the underlying OpenSSL option that is being
    enabled, which will be confusing because the NetworkManager
    “allow_legacy_server_connect” option will in fact toggle the
    wpa_supplicant “allow_unsafe_renegotiation” option.

I would gently suggest the best course of action here is to change the
name of the wpa_supplicant option to better reflect the OpenSSL option
that is being toggled by that option: that is, change the
wpa_supplicant option name from “allow_unsafe_renegotiation” to
“allow_legacy_server_connect”.

There hasn’t been a new hostap release since commits
566ce69a/a561d12d, so changing the option name from
allow_unsafe_renegotiation to allow_legacy_server_connect won’t break
anyone or any configurations (except possible people building hostap
from the main branch who manually set the option).

Thoughts?

(1) https://www.openssl.org/docs/man3.0/man3/SSL_clear_options.html#SECURE-RENEGOTIATION
(2) https://datatracker.ietf.org/doc/html/rfc5746
(3) https://bugzilla.redhat.com/show_bug.cgi?id=2072070
(4) https://bugzilla.redhat.com/show_bug.cgi?id=2077973

More information about the Hostap mailing list