On Wed, May 18, 2022 at 04:23:26PM +0200, Sebastien Bacher wrote: > The issue has been reported downstream, it's a problem for legacy setups but > those don't seem rare from the users feedback > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011121 > https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267 > https://bugzilla.redhat.com/show_bug.cgi?id=2069239 > > The authentification fails > > OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL > routines::internal error Some of those bug reports talked about the unsafe renegotiation which is an independent issue (and that has its own workaround now with phase1="allow_unsafe_renegotiation=1"), but as far as this particular not so helpful "internal error" case for OpenSSL 3.0 is concerned, there is also an older workaround for that in wpa_supplicant: https://w1.fi/cgit/hostap/commit/?id=58bbcfa31b18eae42e3f3dc8fea716360d4bb67f In other words, adding the following parameter into the network configuration works around this by dropping the OpenSSL security level to 0: phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" > Since it's likely to take time for the openssl change to be agreed on, land > and reach distribution I was wondering if wpa could do something to help in > those cases? Would it be possible to maybe default to SECLEVEL=0 for TLS <= > 1.1 connections when building with openssl3? That is not done by default, but can be done with the phase1 parameter shown above. I guess there would be sufficient justification to doing this by default based on the negotiated TLS version especially taken into account the completely useful error message for this case. This is a bit inconvenient with OpenSSL, but it looks like this can be done, so I'm thinking of applying the following changes: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1 Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be enabled with an explicit network configuration parameter. However, the default settings are still allowing TLS 1.0 and 1.1 to be negotiated just to see them fail immediately when using OpenSSL 3.0. This is not exactly helpful especially when the OpenSSL error message for this particular case is "internal error" which does not really say anything about the reason for the error. It is is a bit inconvenient to update the security policy for this particular issue based on the negotiated TLS version since that happens in the middle of processing for the first message from the server. However, this can be done by using the debug callback for printing out the received TLS messages during processing. Drop the OpenSSL security level to 0 if that is the only option to continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed in wpa_supplicant default configuration and OpenSSL 3.0 with the constraint on MD5-SHA1 use. Signed-off-by: Jouni Malinen <j@xxxxx> --- src/crypto/tls_openssl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 6602ac64f591..78621d926dab 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, struct tls_connection *conn = arg; const u8 *pos = buf; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if ((SSL_version(ssl) == TLS1_VERSION || + SSL_version(ssl) == TLS1_1_VERSION) && + SSL_get_security_level(ssl) > 0) { + wpa_printf(MSG_DEBUG, + "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); + SSL_set_security_level(ssl, 0); + } +#endif /* OpenSSL version >= 3.0 */ if (write_p == 2) { wpa_printf(MSG_DEBUG, "OpenSSL: session ver=0x%x content_type=%d", -- 2.25.1 -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
