hi, Il giorno mer 6 apr 2022 alle ore 03:21 Masashi Honma <masashi.honma@xxxxxxxxx> ha scritto: > > Thanks for the detailed log. > But I could not find out the way to avoid this issue by fixing wpa_supplicant. > > > According to the comment > https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267/comments/11, > adding this to /usr/lib/ssl/openssl.cnf fixes the issue. > > [system_default_sect] > Options = UnsafeLegacyRenegotiation > > Since this workaround exists, the OpenSSL developers have decided that > this bug wont be fixed. according to James' analysis, it should be also possible to allow unsafe legacy renegotiation only for wpa_supplicant, avoiding applying this setting system-wide. That should be do-able with: SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); as proposed at https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24. A more complete fix would extend the wpa_supplicant configuration to permit unsafe legacy TLS renegotiation only for users that explicitly require it (so that it can be set only for connections that need this setting). Setting SSL_OP_LEGACY_SERVER_CONNECT unconditionally might also be acceptable for wpa_supplicant IMO, but I would like to hear your preference. Any feedback appreciated, thank you in advance! -- davide _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
