Can't connec to PEAP anymore on current Ubuntu (2.10 built with openssl3)

d. caratti davide.caratti at gmail.com
Sun May 1 01:54:58 PDT 2022


hi,

Il giorno mer 6 apr 2022 alle ore 03:21 Masashi Honma
<masashi.honma at gmail.com> ha scritto:
>
> Thanks for the detailed log.
> But I could not find out the way to avoid this issue by fixing wpa_supplicant.
>
>
> According to the comment
> https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267/comments/11,
> adding this to /usr/lib/ssl/openssl.cnf fixes the issue.
>
> [system_default_sect]
> Options = UnsafeLegacyRenegotiation
>
> Since this workaround exists, the OpenSSL developers have decided that
> this bug wont be fixed.

according to James' analysis, it should be also possible to allow
unsafe legacy renegotiation only for wpa_supplicant, avoiding applying
this setting system-wide. That should be do-able with:

SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);

as proposed at https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24.
A more complete fix would extend the wpa_supplicant configuration to
permit unsafe legacy TLS renegotiation only for users that explicitly
require it (so that it can be set only for connections that need this
setting).

Setting SSL_OP_LEGACY_SERVER_CONNECT unconditionally might also be
acceptable for wpa_supplicant IMO, but I would like to hear your
preference. Any feedback appreciated, thank you in advance!
-- 
davide



More information about the Hostap mailing list