On Mon, 3 Sep 2018 22:24:29 +0200 Kurt Roeckx <k...@roeckx.be> wrote: > The fix it to tell your administrator to use 2048 (or more) bit > keys. I assume there are certificates on both sides, so they both > need to get replaced. > > You can work around this issue by putting something like this in > your config file: > openssl_ciphers=DEFAULT@SECLEVEL=1
Dear kurt, thanks a lot for the quick reply. Unfortunately: 1. Administrators of big organizations are usually reluctant to change their certificates 2. The suggested workaround works (thanks again) for wpa_supplicant but NetworkManager (which is used by most linux distros) cannot pass the "openssl_ciphers" flag to wpa_supplicant. On the other hand, starting from your suggestion, I found a workaround that changes the cipher globally. I report it below for other users. It is just a matter of editing file /etc/ssl/openssl.cnf changing last line from: CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1 I know, this impact the global security of your linux box, but it was the standard up to August, when OpenSSL 1.1.1 was released, so it should not be a big problem for most users :-) Gianpaolo
