On Tue, Dec 04, 2018 at 01:00:08PM +0100, Andrej Shadura wrote: > In the Debian bug reports #907518 and #911297 (see below), people complained > that OpenSSL 1.1.1 disables TLSv1.0 and some other insecure settings by > default, but some older networks may still require their support: > wpa_supplicant[523]: OpenSSL: pending error: error:140C618E:SSL routines:SSL_use_certificate:ca md too weak > Some of those issues can be overrided by adding openssl_ciphers=DEFAULT@SECLEVEL=1 > to the wpa config, but e.g. Kurt Roeckx complained that the minimum TLS > version is still 1.2: > > ssl_choose_client_version:version too low > > Unlike ciphers, that cannot be overridden in the wpa config, since > tls_disable_tlsv1_0 only allows disabling TLS versions, not enabling > them back if the default version is too high. I intend to apply > the patch below to wpa in Debian, which will enable switching TLSv1.0 > back if necessary by adding tls_disable_tlsv1_0=0 to the config. tls_disable_tlv1_0=0 in wpa_supplicant has actually been defined to enable TLSv1.0. However, the implementation handled that only within wpa_supplicant itself and not in a manner that would be able to override this systemwide default in OpenSSL parameters. It looks like the safest approach is to allow this explicit enabling to be used in configuration to do that override so that distributions are free to do whatever systemwide enforcement they want to expose to their users to try to enforce security while the users have an option of overriding that if there is no way of fixing the issue at the other end of the exchange. The following hostap.git commit does this: https://w1.fi/cgit/hostap/commit/?id=cc9c4feccc5588137f66c40a4a6729476556853e And as an example, the following network profile parameters would undo the Debian systemwide restrictions: phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" openssl_ciphers="DEFAULT@SECLEVEL=1" -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap