Hi Sebastian, See https://lists.infradead.org/pipermail/hostap/2022-May/040500.html Jouni is adding/has added something to the code for that. Stefan Paetow Federated Roaming Technical Specialist t: +44 (0)1235 822 125 e-mail/teams: stefan.paetow@xxxxxxxxxx gpg: 0x3FCE5142 On Mondays and Wednesdays, I am not available between 12:00 noon and 15:00. In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus <https://www.jisc.ac.uk/about/corporate/coronavirus-statement>. jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. On 18/05/2022, 15:29, "Hostap on behalf of Sebastien Bacher" <hostap-bounces@xxxxxxxxxxxxxxxxxxx on behalf of seb128@xxxxxxxxxx> wrote: Hey there, The issue has been reported downstream, it's a problem for legacy setups but those don't seem rare from the users feedback https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.debian.org%2Fcgi-bin%2Fbugreport.cgi%3Fbug%3D1011121&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o64iFZrtffIX5vk1A7vbMnZeBLlXZuQsGsY1qq8WMJo%3D&reserved=0 https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fubuntu%2F%2Bsource%2Fwpa%2F%2Bbug%2F1958267&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MPxxTW7P087I5WkmwrCfveVekpmwToGfqQ9fIBOwV6k%3D&reserved=0 https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D2069239&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vaMphCC0%2BUo%2Bla9ng2P1ybqPgFsCmFLjKa1akdcCCLw%3D&reserved=0 The authentification fails > OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error Clemens Lang explained the issue 'these servers only offer TLS 1.1 or older, which uses MD5-SHA1 as digest in its signature algorithm. Due to recent collision attacks on SHA1, this no longer meets OpenSSL default level of security of 80 bits (see https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsha-mbles.github.io%2F&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EDVNnLJFBBBmHr9DZ%2BkoQ%2Bfzzu6m7W3uukVVFnZR%2Bqg%3D&reserved=0 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsha-mbles.github.io%2F&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EDVNnLJFBBBmHr9DZ%2BkoQ%2Bfzzu6m7W3uukVVFnZR%2Bqg%3D&reserved=0>, which reduced the chosen-prefix collision to 63.4 bits). Fedora fixes the problem with those patches in openssl https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsrc.fedoraproject.org%2Frpms%2Fopenssl%2Fblob%2Ff36%2Ff%2F0049-Allow-disabling-of-SHA1-signatures.patch&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oRH8QL6J4ceTzUCBiSTzVTJ352golA0o%2F%2FvrYZpxG18%3D&reserved=0 https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsrc.fedoraproject.org%2Frpms%2Fopenssl%2Fblob%2Ff36%2Ff%2F0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BMUrSCcIX59CuUngiykoNQ9uTrE0h49JXzWzRWBqsbs%3D&reserved=0 There is an open discussion upstream about adding the option in https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fissues%2F17662&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dJ2ZpAyzwDg%2FZjO9wLZTyIPjrU8dATeBe3MysbfdvH8%3D&reserved=0 Since it's likely to take time for the openssl change to be agreed on, land and reach distribution I was wondering if wpa could do something to help in those cases? Would it be possible to maybe default to SECLEVEL=0 for TLS <= 1.1 connections when building with openssl3? Cheers, Sebastien Bacher _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Fhostap&data=05%7C01%7Cstefan.paetow%40jisc.ac.uk%7Cde2d103422e64d3d926708da38da6afe%7C48f9394d8a144d2782a6f35f12361205%7C0%7C0%7C637884809710226705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=izuQm2JVMyN3E1nVa%2FneRUmire7L%2BtDozkmSMkb0wPY%3D&reserved=0 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
