Merge pull request #1944 from chenxiaolong/eapol_tls_1.0_regression

eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
author: Christian Breunig <christian@breunig.cc> 2023-04-09 21:13:19 +0200
committer: GitHub <noreply@github.com> 2023-04-09 21:13:19 +0200
commit: f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9 (patch)
tree: 56b25e51f4b4f65638f7946e37989112c73835c0
parent: d5eafd464047ee293c68c2fe6e1ba4e6e4d60585 (diff)
parent: c53d73cd8958a71b853d13b1515f89c5f35bdae4 (diff)
download: vyos-1x-f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9.tar.gz
vyos-1x-f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index 8f140f6cb..cd35d6d1e 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -67,6 +67,11 @@ network={
     # discards such frames to protect against potential attacks by rogue
     # devices, but this option can be used to disable that protection for cases
     # where the server/authenticator does not need to be authenticated.
-    phase1="allow_canned_success=1"
+    #
+    # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
+    # legacy networks. This follows the behavior of Debian's wpa_supplicant,
+    # which includes a custom patch for allowing TLSv1, but the patch currently
+    # does not work for VyOS' git builds of wpa_supplicant.
+    phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }
author	Christian Breunig <christian@breunig.cc>	2023-04-09 21:13:19 +0200
committer	GitHub <noreply@github.com>	2023-04-09 21:13:19 +0200
commit	f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9 (patch)
tree	56b25e51f4b4f65638f7946e37989112c73835c0
parent	d5eafd464047ee293c68c2fe6e1ba4e6e4d60585 (diff)
parent	c53d73cd8958a71b853d13b1515f89c5f35bdae4 (diff)
download	vyos-1x-f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9.tar.gz vyos-1x-f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c9.zip