Can't connec to PEAP anymore on current Ubuntu (2.10 built with openssl3)

d. caratti davide.caratti at
Sun May 1 01:54:58 PDT 2022


Il giorno mer 6 apr 2022 alle ore 03:21 Masashi Honma
<masashi.honma at> ha scritto:
> Thanks for the detailed log.
> But I could not find out the way to avoid this issue by fixing wpa_supplicant.
> According to the comment
> adding this to /usr/lib/ssl/openssl.cnf fixes the issue.
> [system_default_sect]
> Options = UnsafeLegacyRenegotiation
> Since this workaround exists, the OpenSSL developers have decided that
> this bug wont be fixed.

according to James' analysis, it should be also possible to allow
unsafe legacy renegotiation only for wpa_supplicant, avoiding applying
this setting system-wide. That should be do-able with:


as proposed at
A more complete fix would extend the wpa_supplicant configuration to
permit unsafe legacy TLS renegotiation only for users that explicitly
require it (so that it can be set only for connections that need this

Setting SSL_OP_LEGACY_SERVER_CONNECT unconditionally might also be
acceptable for wpa_supplicant IMO, but I would like to hear your
preference. Any feedback appreciated, thank you in advance!

More information about the Hostap mailing list