rpms/wpa_supplicant
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Allow legacy renegotiation for bad PEAP servers (#2072070)

Browse Source 
Thanks to James Ralston for this.
This commit is contained in:
Adam Williamson 2022-05-02 11:05:14 -07:00
parent de6fe465d1
commit 2a2d184805
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
wpa_supplicant-allow-legacy-renegotiation.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect wpa_supplicant-2.10/src/crypto/tls_openssl.c
--- wpa_supplicant-2.10/src/crypto/tls_openssl.c.legacy-server-connect 2022-01-16 15:51:29.000000000 -0500
+++ wpa_supplicant-2.10/src/crypto/tls_openssl.c 2022-04-28 02:47:26.863529683 -0400
@@ -1049,6 +1049,16 @@
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ /* Many enterprise PEAP server implementations (e.g. used in large
+ corporations and universities) do not support RFC5746 secure
+ renegotiation, and starting with OpenSSL 3.0,
+ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
+ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
+ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
+ globally. */
+
+ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+
SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
#ifdef SSL_MODE_NO_AUTO_CHAIN

10
wpa_supplicant.spec
View File

@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
Name: wpa_supplicant
Epoch: 1
Version: 2.10
Release: 3%{?dist}
Release: 4%{?dist}
License: BSD
Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
Source1: wpa_supplicant.conf
@ -34,6 +34,11 @@ Patch6: wpa_supplicant-defconfig-keep-CONFIG_WEP-enabled.patch
# FIXME: Explain why are these two here
Patch7: wpa_supplicant-defconfig-enable-WPA-EAP-SUITE-B-192-ciphers.patch
Patch8: wpa_supplicant-defconfig-enable-OCV-support.patch
# Allow legacy renegotiation with openssl 3.0 to fix connection to
# PEAP/Radius servers that don't support secure renegotiation:
# https://bugzilla.redhat.com/show_bug.cgi?id=2072070
# From James Ralston in comment #24, thanks to James
Patch9: wpa_supplicant-allow-legacy-renegotiation.patch
URL: http://w1.fi/wpa_supplicant/
@ -194,6 +199,9 @@ chmod -R 0644 wpa_supplicant/examples/*.py
%changelog
* Mon May 02 2022 Adam Williamson <awilliam@redhat.com> - 1:2.10-4
- Allow legacy renegotiation for bad PEAP servers (James Ralston) (#2072070)
* Wed Jan 26 2022 Michael Yartys <michael.yartys@protonmail.com> - 1:2.10-3
- Enable Operating Channel Validation (OCV) support