diff options
| author | Sebastien Bacher <seb128@ubuntu.com> | 2022-05-05 11:55:23 +0200 |
|---|---|---|
| committer | Andrej Shadura <andrew.shadura@collabora.co.uk> | 2022-05-05 11:23:16 +0100 |
| commit | 80b7ff01cd6e707674ddde2ab0a8f2a9333c3fc6 (patch) | |
| tree | 2f14a8426e55149e586412cb661d51b828a4b947 | |
| parent | 218a6b0588356ca4d722f8c3de6b62a1b55c17ab (diff) | |
Allow legacy renegotiation to fix PEAP issues with some servers
See http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
Closes: #1010603
LP: #1962541
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/allow-legacy-renegotiation.patch | 30 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 39 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index c42fb8c..d3c0bd9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +wpa (2:2.10-9) UNRELEASED; urgency=medium + + * debian/patches/allow-legacy-renegotiation.patch: + Allow legacy renegotiation to fix PEAP issues with some servers + (Closes: #1010603, LP: #1962541) + + -- Sebastien Bacher <seb128@ubuntu.com> Thu, 05 May 2022 11:31:26 +0200 + wpa (2:2.10-8) unstable; urgency=medium * Pull the defconfig updates from the upstream’s Git. diff --git a/debian/patches/allow-legacy-renegotiation.patch b/debian/patches/allow-legacy-renegotiation.patch new file mode 100644 index 0000000..574973f --- /dev/null +++ b/debian/patches/allow-legacy-renegotiation.patch @@ -0,0 +1,30 @@ +From: James Ralston <ralston@pobox.com> +Date: Sun, 1 May 2022 16:15:23 -0700 +Subject: Allow legacy renegotiation to fix PEAP issues with some servers + +Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html +--- + src/crypto/tls_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 273e5cb..ad3aa1a 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf) + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + ++ /* Many enterprise PEAP server implementations (e.g. used in large ++ corporations and universities) do not support RFC5746 secure ++ renegotiation, and starting with OpenSSL 3.0, ++ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. ++ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT ++ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT ++ globally. */ ++ ++ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); ++ + SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + #ifdef SSL_MODE_NO_AUTO_CHAIN diff --git a/debian/patches/series b/debian/patches/series index 100c421..54f8eca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ systemd-add-reload-support.patch manpage-replace-wheel-with-netdev.patch upstream-fixes/0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch upstream-fixes/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch +allow-legacy-renegotiation.patch |