wpa built with openssl3 can't connect to servers using TLS 1.1 or older

Jouni Malinen j at w1.fi
Sun May 22 07:10:39 PDT 2022

On Wed, May 18, 2022 at 04:23:26PM +0200, Sebastien Bacher wrote:
> The issue has been reported downstream, it's a problem for legacy setups but
> those don't seem rare from the users feedback
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011121
> https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
> https://bugzilla.redhat.com/show_bug.cgi?id=2069239
> The authentification fails
> > OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL
> routines::internal error

Some of those bug reports talked about the unsafe renegotiation which is
an independent issue (and that has its own workaround now with
phase1="allow_unsafe_renegotiation=1"), but as far as this particular
not so helpful "internal error" case for OpenSSL 3.0 is concerned, there
is also an older workaround for that in wpa_supplicant:

In other words, adding the following parameter into the network
configuration works around this by dropping the OpenSSL security level
to 0:
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0"

> Since it's likely to take time for the openssl change to be agreed on, land
> and reach distribution I was wondering if wpa could do something to help in
> those cases? Would it be possible to maybe default to SECLEVEL=0 for TLS <=
> 1.1 connections when building with openssl3?

That is not done by default, but can be done with the phase1 parameter
shown above.

I guess there would be sufficient justification to doing this by default
based on the negotiated TLS version especially taken into account the
completely useful error message for this case. This is a bit
inconvenient with OpenSSL, but it looks like this can be done, so I'm
thinking of applying the following changes:

OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1

Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
enabled with an explicit network configuration parameter. However, the
default settings are still allowing TLS 1.0 and 1.1 to be negotiated
just to see them fail immediately when using OpenSSL 3.0. This is not
exactly helpful especially when the OpenSSL error message for this
particular case is "internal error" which does not really say anything
about the reason for the error.

It is is a bit inconvenient to update the security policy for this
particular issue based on the negotiated TLS version since that happens
in the middle of processing for the first message from the server.
However, this can be done by using the debug callback for printing out
the received TLS messages during processing.

Drop the OpenSSL security level to 0 if that is the only option to
continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
in wpa_supplicant default configuration and OpenSSL 3.0 with the
constraint on MD5-SHA1 use.

Signed-off-by: Jouni Malinen <j at w1.fi>
 src/crypto/tls_openssl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 6602ac64f591..78621d926dab 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
 	struct tls_connection *conn = arg;
 	const u8 *pos = buf;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if ((SSL_version(ssl) == TLS1_VERSION ||
+	     SSL_version(ssl) == TLS1_1_VERSION) &&
+	    SSL_get_security_level(ssl) > 0) {
+		wpa_printf(MSG_DEBUG,
+			   "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
+		SSL_set_security_level(ssl, 0);
+	}
+#endif /* OpenSSL version >= 3.0 */
 	if (write_p == 2) {
 			   "OpenSSL: session ver=0x%x content_type=%d",

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list