On Sun, Nov 26, 2023 at 10:52:54AM +0100, Arsen Arsenović wrote: > I'm trying to debug a connection failure from some systems onto our > PEAP-connected network. > > I've identified that the cause of the issue is that OpenSSL 3, present > some of the systems that fail to connect, has a higher default SECLEVEL > and/or minimum protocol version than previous versions. > > I have reason to suspect that our PEAP infrastructure uses severely > outdated TLS, and so that OpenSSL is acting correctly, and would like to > confirm this suspicion and submit an analysis and request to upgrade to > our network administrators. > > Can I fetch information about the PEAP TLS session (TLS version, ciphers > in use, ...) from wpa_supplicant? It is unfortunately very common for deployed RADIUS authentication servers to use old (and in many cases, _really_ old) TLS implementations and protocol features.. While the best way to address this would be to update the authentication server, that is not always practical for the users of the network to get done and as such, wpa_supplicant does allow SELEVEL to be dropped as a workaround with the openssl_ciphers configuration parameter. The easiest way to get comprehensive information from from failed PEAP authentication attempts is using the stdout debug facility by adding -dd on the wpa_supplicant command line. That might be doable with distribution specific mechanisms in some other ways as well by configuring debug verbosity to MSGDUMP (or even DEBUG would likely be sufficient for most needs) and record debug log into the system log files. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
