Bug#667706: openssl 1.0.1 breaks wpa_supplicant

Mon, 23 Jul 2012 12:54:12 -0700 

No luck on the openssl front, but a patch to wpa_supplicant that disables TLS 
session tickets does the trick for me. See http://w1.fi/bugz/show_bug.cgi?id=447

I've attached a debdiff against wpa.

diff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog	2012-05-13 16:39:47.000000000 -0400
+++ wpa-1.0/debian/changelog	2012-07-23 13:34:13.000000000 -0400
@@ -1,3 +1,12 @@
+wpa (1.0-2.1) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * Disable TLS session tickets. Ever since the release of openssl-1.0.1,
+    session tickets have (apparently) prevented WPA2 enterprise authentication
+    against some (probably broken) access points. (Bug #667706)
+
+ -- Benjamin Kay <benja...@benkay.net>  Mon, 23 Jul 2012 13:33:49 -0400
+
 wpa (1.0-2) unstable; urgency=low
 
   * Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/patches/disable_session_tickets.patch wpa-1.0/debian/patches/disable_session_tickets.patch
--- wpa-1.0/debian/patches/disable_session_tickets.patch	1969-12-31 19:00:00.000000000 -0500
+++ wpa-1.0/debian/patches/disable_session_tickets.patch	2012-07-23 13:33:32.000000000 -0400
@@ -0,0 +1,14 @@
+Disables TLS session tickets, thereby avoiding enterprise authentication
+failures against some (probably broken) access points that had arisen since
+the release of openssl-1.0.1.
+See http://w1.fi/bugz/attachment.cgi?id=235&action=diff
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -926,6 +926,7 @@
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	options |= SSL_OP_NO_COMPRESSION;
+ #endif /* SSL_OP_NO_COMPRESSION */
++	options |= SSL_OP_NO_TICKET;
+ 	SSL_set_options(conn->ssl, options);
+ 
+ 	conn->ssl_in = BIO_new(BIO_s_mem());
diff -Nru wpa-1.0/debian/patches/series wpa-1.0/debian/patches/series
--- wpa-1.0/debian/patches/series	2012-04-17 07:03:56.000000000 -0400
+++ wpa-1.0/debian/patches/series	2012-07-23 13:33:32.000000000 -0400
@@ -6,3 +6,4 @@
 12_wpa_gui_knotify_support.patch
 13_human_readable_signal.patch
 libnl3-includes.patch
+disable_session_tickets.patch

Reply via email to