wpa_supplicant-2.10-allow-legacy-renegotiation.patch (1172B)
1 From: James Ralston <ralston@pobox.com> 2 Date: Sun, 1 May 2022 16:15:23 -0700 3 Subject: Allow legacy renegotiation to fix PEAP issues with some servers 4 5 Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html 6 --- 7 src/crypto/tls_openssl.c | 10 ++++++++++ 8 1 file changed, 10 insertions(+) 9 10 diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c 11 index 273e5cb..ad3aa1a 100644 12 --- a/src/crypto/tls_openssl.c 13 +++ b/src/crypto/tls_openssl.c 14 @@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf) 15 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); 16 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); 17 18 + /* Many enterprise PEAP server implementations (e.g. used in large 19 + corporations and universities) do not support RFC5746 secure 20 + renegotiation, and starting with OpenSSL 3.0, 21 + SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. 22 + So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT 23 + only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT 24 + globally. */ 25 + 26 + SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); 27 + 28 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); 29 30 #ifdef SSL_MODE_NO_AUTO_CHAIN