diff options
| author | PÁLI Gábor János <pali.gabor@gmail.com> | 2023-03-26 03:42:59 +0200 |
|---|---|---|
| committer | PÁLI Gábor János <pali.gabor@gmail.com> | 2023-03-26 03:48:17 +0200 |
| commit | e9bd74b9455b8bebf1b3ccb2640a48beb6b53d22 (patch) | |
| tree | 9753592e090ccbbc6997d4fa9ab1860a983f7349 /aports/wpa_supplicant/lower-security-level-for-tls-1.patch | |
| parent | 7f012cfae9ba7aa2affda2de4129f064ae7bb9f9 (diff) | |
| download | freebsd-wifibox-alpine-e9bd74b9455b8bebf1b3ccb2640a48beb6b53d22.zip | |
wpa_supplicant: fix TLS negotiation issues with OpenSSL 3.0
References:
- http://w1.fi/cgit/hostap/patch/src/crypto/tls_openssl.c?id=bc99366f9b960150aa2e369048bbc2218c1d414e
Hinted by: ish-org@fromgithub
Diffstat (limited to 'aports/wpa_supplicant/lower-security-level-for-tls-1.patch')
| -rw-r--r-- | aports/wpa_supplicant/lower-security-level-for-tls-1.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/aports/wpa_supplicant/lower-security-level-for-tls-1.patch b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch new file mode 100644 index 0000000..13cb4b7 --- /dev/null +++ b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch @@ -0,0 +1,57 @@ +From bc99366f9b960150aa2e369048bbc2218c1d414e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 22 May 2022 17:01:35 +0300 +Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS + 1.0/1.1 + +Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for +TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level +drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be +enabled with an explicit network configuration parameter. However, the +default settings are still allowing TLS 1.0 and 1.1 to be negotiated +just to see them fail immediately when using OpenSSL 3.0. This is not +exactly helpful especially when the OpenSSL error message for this +particular case is "internal error" which does not really say anything +about the reason for the error. + +It is is a bit inconvenient to update the security policy for this +particular issue based on the negotiated TLS version since that happens +in the middle of processing for the first message from the server. +However, this can be done by using the debug callback for printing out +the received TLS messages during processing. + +Drop the OpenSSL security level to 0 if that is the only option to +continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed +in wpa_supplicant default configuration and OpenSSL 3.0 with the +constraint on MD5-SHA1 use. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/crypto/tls_openssl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +(limited to 'src/crypto/tls_openssl.c') + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 6602ac64f..78621d926 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, + struct tls_connection *conn = arg; + const u8 *pos = buf; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if ((SSL_version(ssl) == TLS1_VERSION || ++ SSL_version(ssl) == TLS1_1_VERSION) && ++ SSL_get_security_level(ssl) > 0) { ++ wpa_printf(MSG_DEBUG, ++ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); ++ SSL_set_security_level(ssl, 0); ++ } ++#endif /* OpenSSL version >= 3.0 */ + if (write_p == 2) { + wpa_printf(MSG_DEBUG, + "OpenSSL: session ver=0x%x content_type=%d", +-- +cgit v1.2.3-18-g5258 + |