Configuring enabled ciphers and TLS versions globally

Martin Dørum martid0311 at gmail.com
Thu Oct 19 06:58:13 PDT 2023


Hello,

I have a system which uses wpa_supplicant for connecting to WiFi.
After an upgrade, the system is no longer able to connect to certain
EAP-TLS networks. I have found that this is because the EAP-TLS network
is using either an old/insecure version of TLS or an old/insecure
signature algorithm which wpa_supplicant no longer supports by default.
Further, I have found that adding this phase1 configuration to the
relevant `network` block in the wpa_supplicant config makes
wpa_supplicant connect:

network={
	...
	phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 openssl_ciphers=DEFAULT at SECLEVEL=1"
	...
}

However, ideally, I would like tho configure tls version and cipher
support globally, not per-network. I have tried readingdocumentation,
wiki pages related to wpa_supplicant and asking around in IRC channels,
but I haven't been able to find any place to globally configure this,
so I'm trying the mailing list now. Any help would be greatly
appreciated.

Also, let's not turn this into a discussion about whether or not it's
a good idea to use these old ciphers and protocols. I know that they're
disabled by default for a good reason. I'm just looking for a central
place to control which ones are enabled and which ones are disabled,
and I'm aware of the risks related to using old/insecure ciphers and
TLS versions.

Regards,
Martin Dørum


More information about the Hostap mailing list