Re: [RFC] Disable TLSv1.0 by default, but allow enabling it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 04, 2018 at 01:00:08PM +0100, Andrej Shadura wrote:
> In the Debian bug reports #907518 and #911297 (see below), people complained
> that OpenSSL 1.1.1 disables TLSv1.0 and some other insecure settings by
> default, but some older networks may still require their support:
>     wpa_supplicant[523]: OpenSSL: pending error: error:140C618E:SSL routines:SSL_use_certificate:ca md too weak

> Some of those issues can be overrided by adding openssl_ciphers=DEFAULT@SECLEVEL=1
> to the wpa config, but e.g. Kurt Roeckx complained that the minimum TLS
> version is still 1.2:
> 
>     ssl_choose_client_version:version too low
> 
> Unlike ciphers, that cannot be overridden in the wpa config, since
> tls_disable_tlsv1_0 only allows disabling TLS versions, not enabling
> them back if the default version is too high. I intend to apply
> the patch below to wpa in Debian, which will enable switching TLSv1.0
> back if necessary by adding tls_disable_tlsv1_0=0 to the config.

tls_disable_tlv1_0=0 in wpa_supplicant has actually been defined to
enable TLSv1.0. However, the implementation handled that only within
wpa_supplicant itself and not in a manner that would be able to override
this systemwide default in OpenSSL parameters. It looks like the safest
approach is to allow this explicit enabling to be used in configuration
to do that override so that distributions are free to do whatever
systemwide enforcement they want to expose to their users to try to
enforce security while the users have an option of overriding that if
there is no way of fixing the issue at the other end of the exchange.

The following hostap.git commit does this:
https://w1.fi/cgit/hostap/commit/?id=cc9c4feccc5588137f66c40a4a6729476556853e

And as an example, the following network profile parameters would undo
the Debian systemwide restrictions:
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0"
openssl_ciphers="DEFAULT@SECLEVEL=1"

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux