Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 912315 - net-wireless/wpa_supplicant openssl3 TLS/EAP regression
Summary: net-wireless/wpa_supplicant openssl3 TLS/EAP regression
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Rick Farina (Zero_Chaos)
Keywords: PATCH
Depends on:
Blocks: openssl-3.0
  Show dependency tree
Reported: 2023-08-15 17:53 UTC by Ville Syrjala
Modified: 2023-08-26 13:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

wpa_supplicant-2.10-allow-legacy-renegotiation.patch (wpa_supplicant-2.10-allow-legacy-renegotiation.patch,1.14 KB, patch)
2023-08-23 10:05 UTC, Pacho Ramos
Details | Diff
wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch (wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch,2.33 KB, patch)
2023-08-23 10:06 UTC, Pacho Ramos
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ville Syrjala 2023-08-15 17:53:55 UTC
Apparently openssl3 broke some legacy TLS/EAP thing in wpa_supplicant. Due to that I can't connect to the WLAN at the office.

Reproducible: Always

Steps to Reproduce:
1. Try to connect to some corporate WLAN

Actual Results:  
Connection fails:

[wpa_supplicant] wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
[wpa_supplicant] SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
[wpa_supplicant] OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Expected Results:  
Connection succeeds.

Some other distros have a patch, which works here as well:

Unfortunately I can't seem to use /etc/portage/patches for this, presumably due to the way the ebuild overrides $S, so I had to patch the ebuild locally :(

I also tried mucking about with some related openssl.cnf knobs but couldn't get anything to work that way.
Comment 1 Pacho Ramos gentoo-dev 2023-08-23 09:40:47 UTC
It also looks to affect eduroam
Comment 2 Pacho Ramos gentoo-dev 2023-08-23 10:05:23 UTC
Created attachment 868517 [details, diff]
Comment 3 Pacho Ramos gentoo-dev 2023-08-23 10:06:19 UTC
Created attachment 868518 [details, diff]

Both patches are needed (the second one not for 9999 version)

They fix the problem and allow to connect to eduroam again
Comment 4 Pacho Ramos gentoo-dev 2023-08-23 10:07:47 UTC
They are taken from Debian... the same as those applied in Fedora too
Comment 5 Larry the Git Cow gentoo-dev 2023-08-26 09:30:47 UTC
The bug has been closed via the following commit(s):

commit 862d4997853b3de3fb3507c997a254ae24d84576
Author:     Pacho Ramos <>
AuthorDate: 2023-08-26 09:29:18 +0000
Commit:     Pacho Ramos <>
CommitDate: 2023-08-26 09:29:18 +0000

    net-wireless/wpa_supplicant: Fix openssl3 TLS/EAP regression
    Apply Debian/Fedora patches to fix regression with openssl3 causing some wifi
    connections (i.e. Eduroam) to fail.
    Signed-off-by: Pacho Ramos <>

 ...p-security-level-to-0-with-OpenSSL-3.0-wh.patch |  57 +++
 ...upplicant-2.10-allow-legacy-renegotiation.patch |  30 ++
 .../wpa_supplicant/wpa_supplicant-2.10-r3.ebuild   | 487 +++++++++++++++++++++
 .../wpa_supplicant/wpa_supplicant-9999.ebuild      |   3 +
 4 files changed, 577 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-26 13:34:28 UTC
Thanks, but please include references to where you got the patch + any relevant bugs in the patch itself at the top.