Apparently openssl3 broke some legacy TLS/EAP thing in wpa_supplicant. Due to that I can't connect to the WLAN at the office. Reproducible: Always Steps to Reproduce: 1. Try to connect to some corporate WLAN Actual Results: Connection fails: [wpa_supplicant] wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected [wpa_supplicant] SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure [wpa_supplicant] OpenSSL: openssl_handshake - SSL_connect error:0A000152:SSL routines::unsafe legacy renegotiation disabled Expected Results: Connection succeeds. Some other distros have a patch, which works here as well: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1853144.html Unfortunately I can't seem to use /etc/portage/patches for this, presumably due to the way the ebuild overrides $S, so I had to patch the ebuild locally :( I also tried mucking about with some related openssl.cnf knobs but couldn't get anything to work that way.
It also looks to affect eduroam
Created attachment 868517 [details, diff] wpa_supplicant-2.10-allow-legacy-renegotiation.patch
Created attachment 868518 [details, diff] wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch Both patches are needed (the second one not for 9999 version) They fix the problem and allow to connect to eduroam again
They are taken from Debian... the same as those applied in Fedora too
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=862d4997853b3de3fb3507c997a254ae24d84576 commit 862d4997853b3de3fb3507c997a254ae24d84576 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2023-08-26 09:29:18 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2023-08-26 09:29:18 +0000 net-wireless/wpa_supplicant: Fix openssl3 TLS/EAP regression Apply Debian/Fedora patches to fix regression with openssl3 causing some wifi connections (i.e. Eduroam) to fail. Closes: https://bugs.gentoo.org/912315 Signed-off-by: Pacho Ramos <pacho@gentoo.org> ...p-security-level-to-0-with-OpenSSL-3.0-wh.patch | 57 +++ ...upplicant-2.10-allow-legacy-renegotiation.patch | 30 ++ .../wpa_supplicant/wpa_supplicant-2.10-r3.ebuild | 487 +++++++++++++++++++++ .../wpa_supplicant/wpa_supplicant-9999.ebuild | 3 + 4 files changed, 577 insertions(+)
Thanks, but please include references to where you got the patch + any relevant bugs in the patch itself at the top.
