Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 868518 Details for
Bug 912315
net-wireless/wpa_supplicant openssl3 TLS/EAP regression
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch (text/plain), 2.33 KB, created by
Pacho Ramos
on 2023-08-23 10:06:19 UTC
(
hide
)
Description:
wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
Filename:
MIME Type:
Creator:
Pacho Ramos
Created:
2023-08-23 10:06:19 UTC
Size:
2.33 KB
patch
obsolete
>From: Jouni Malinen <j@w1.fi> >Date: Sun, 22 May 2022 17:01:35 +0300 >Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1 > >Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for >TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level >drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be >enabled with an explicit network configuration parameter. However, the >default settings are still allowing TLS 1.0 and 1.1 to be negotiated >just to see them fail immediately when using OpenSSL 3.0. This is not >exactly helpful especially when the OpenSSL error message for this >particular case is "internal error" which does not really say anything >about the reason for the error. > >It is is a bit inconvenient to update the security policy for this >particular issue based on the negotiated TLS version since that happens >in the middle of processing for the first message from the server. >However, this can be done by using the debug callback for printing out >the received TLS messages during processing. > >Drop the OpenSSL security level to 0 if that is the only option to >continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed >in wpa_supplicant default configuration and OpenSSL 3.0 with the >constraint on MD5-SHA1 use. > >Signed-off-by: Jouni Malinen <j@w1.fi> > >Bug-Debian: https://bugs.debian.org/1011121 >Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267 >Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e >--- > src/crypto/tls_openssl.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c >index 6602ac64f591..78621d926dab 100644 >--- a/src/crypto/tls_openssl.c >+++ b/src/crypto/tls_openssl.c >@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, > struct tls_connection *conn = arg; > const u8 *pos = buf; > >+#if OPENSSL_VERSION_NUMBER >= 0x30000000L >+ if ((SSL_version(ssl) == TLS1_VERSION || >+ SSL_version(ssl) == TLS1_1_VERSION) && >+ SSL_get_security_level(ssl) > 0) { >+ wpa_printf(MSG_DEBUG, >+ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); >+ SSL_set_security_level(ssl, 0); >+ } >+#endif /* OpenSSL version >= 3.0 */ > if (write_p == 2) { > wpa_printf(MSG_DEBUG, > "OpenSSL: session ver=0x%x content_type=%d", >-- >2.39.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 912315
:
868517
| 868518