Bug#907518: wpa: problems with openssl 1.1.1
On Sun, Oct 07, 2018 at 11:00:48AM +0200, Andrej Shadura wrote: > > I’m unsure what can be done to help resolve this issue from the wpa side. The only thing I can think of is that wpa could add a way to specify the minimum tls version.
Bug#907518: wpa: problems with openssl 1.1.1
On Sun, Oct 07, 2018 at 11:00:48AM +0200, Andrej Shadura wrote: > I’m unsure what can be done to help resolve this issue from the wpa side. For debugging purposes, I'd still be interested to know this: > On Wed, 5 Sep 2018 14:57:59 -0700 Josh Triplett > wrote: > > Is there a way I can easily get wpa_supplicant to log the full client > > and server certificate chain, and flag which *specific* certificate in > > that chain it has an issue with? I'm trying to present appropriate > > information to get the wireless network infrastructure improved, and > > unlike https I can't just use `openssl s_client` to get the details I > > need.
Bug#907518: wpa: problems with openssl 1.1.1
On Wed, 5 Sep 2018 14:57:59 -0700 Josh Triplett wrote: > On Wed, Sep 05, 2018 at 11:48:56PM +0200, Kurt Roeckx wrote: > > The problem here is that the CA you're connecting to has an > > insecure certificate. You should talk to your administrator > > to generate stronger keys. > > I am aware of this, and I'm in the process of doing so. > > > The "ca md too weak" is because the certificate is probably using > > SHA-1, while it should move to SHA256. > > Is there a way I can easily get wpa_supplicant to log the full client > and server certificate chain, and flag which *specific* certificate in > that chain it has an issue with? I'm trying to present appropriate > information to get the wireless network infrastructure improved, and > unlike https I can't just use `openssl s_client` to get the details I > need. > > > This can be worked around by using this in your wpa config: > > openssl_ciphers=DEFAULT@SECLEVEL=1 > > I don't suppose you happen to know how I could do that for a > NetworkManager network configuration? > > > There is also an "ssl_choose_client_version:version too low" message. > > This is most likely caused by minimum TLS 1.2 version setting. I > > can't find a way in wpa to override the default. You will have to > > modify /etc/ssl/openssl.cnf and change: > > MinProtocol = TLSv1.2 > > to: > > MinProtocol = TLSv1 > > Good to know, thank you. > > > Note that you can also change the cipher string in that file, from > > CipherString = DEFAULT@SECLEVEL=2 > > to > > CipherString = DEFAULT@SECLEVEL=1 > > > > But I recommend that you do it in the wpa config file if you can > > instead, so that only the security of that connection is lowered. > > Ideally I'd like to do that for just the one network, yeah. I’m unsure what can be done to help resolve this issue from the wpa side. -- Cheers, Andrej
Bug#907518: wpa: problems with openssl 1.1.1
On Wed, Sep 05, 2018 at 11:48:56PM +0200, Kurt Roeckx wrote: > The problem here is that the CA you're connecting to has an > insecure certificate. You should talk to your administrator > to generate stronger keys. I am aware of this, and I'm in the process of doing so. > The "ca md too weak" is because the certificate is probably using > SHA-1, while it should move to SHA256. Is there a way I can easily get wpa_supplicant to log the full client and server certificate chain, and flag which *specific* certificate in that chain it has an issue with? I'm trying to present appropriate information to get the wireless network infrastructure improved, and unlike https I can't just use `openssl s_client` to get the details I need. > This can be worked around by using this in your wpa config: > openssl_ciphers=DEFAULT@SECLEVEL=1 I don't suppose you happen to know how I could do that for a NetworkManager network configuration? > There is also an "ssl_choose_client_version:version too low" message. > This is most likely caused by minimum TLS 1.2 version setting. I > can't find a way in wpa to override the default. You will have to > modify /etc/ssl/openssl.cnf and change: > MinProtocol = TLSv1.2 > to: > MinProtocol = TLSv1 Good to know, thank you. > Note that you can also change the cipher string in that file, from > CipherString = DEFAULT@SECLEVEL=2 > to > CipherString = DEFAULT@SECLEVEL=1 > > But I recommend that you do it in the wpa config file if you can > instead, so that only the security of that connection is lowered. Ideally I'd like to do that for just the one network, yeah.
Bug#907518: wpa: problems with openssl 1.1.1
The problem here is that the CA you're connecting to has an insecure certificate. You should talk to your administrator to generate stronger keys. The "ca md too weak" is because the certificate is probably using SHA-1, while it should move to SHA256. This can be worked around by using this in your wpa config: openssl_ciphers=DEFAULT@SECLEVEL=1 There is also an "ssl_choose_client_version:version too low" message. This is most likely caused by minimum TLS 1.2 version setting. I can't find a way in wpa to override the default. You will have to modify /etc/ssl/openssl.cnf and change: MinProtocol = TLSv1.2 to: MinProtocol = TLSv1 Note that you can also change the cipher string in that file, from CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1 But I recommend that you do it in the wpa config file if you can instead, so that only the security of that connection is lowered.