diff options
author | Andrew Gunnerson <accounts+github@chiller3.com> | 2023-04-09 12:22:16 -0400 |
---|---|---|
committer | Andrew Gunnerson <accounts+github@chiller3.com> | 2023-04-09 12:42:32 -0400 |
commit | c53d73cd8958a71b853d13b1515f89c5f35bdae4 (patch) | |
tree | 56b25e51f4b4f65638f7946e37989112c73835c0 /data/templates/ethernet | |
parent | d5eafd464047ee293c68c2fe6e1ba4e6e4d60585 (diff) | |
download | vyos-1x-c53d73cd8958a71b853d13b1515f89c5f35bdae4.tar.gz vyos-1x-c53d73cd8958a71b853d13b1515f89c5f35bdae4.zip |
eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS
The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows
this by default in their wpa_supplicant package, but their
`allow-tlsv1.patch` patch does not work properly with VyOS' newer
wpa_supplicant package, which is based on the latest code in git. As a
result, wpa_supplicant always respects the system-wide openssl crypto
policy, disallowing TLSv1. The commit uses the documented way of
allowing TLSv1, which takes precedence over the system crypto policy.
Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
Diffstat (limited to 'data/templates/ethernet')
-rw-r--r-- | data/templates/ethernet/wpa_supplicant.conf.j2 | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2 index 8f140f6cb..cd35d6d1e 100644 --- a/data/templates/ethernet/wpa_supplicant.conf.j2 +++ b/data/templates/ethernet/wpa_supplicant.conf.j2 @@ -67,6 +67,11 @@ network={ # discards such frames to protect against potential attacks by rogue # devices, but this option can be used to disable that protection for cases # where the server/authenticator does not need to be authenticated. - phase1="allow_canned_success=1" + # + # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with + # legacy networks. This follows the behavior of Debian's wpa_supplicant, + # which includes a custom patch for allowing TLSv1, but the patch currently + # does not work for VyOS' git builds of wpa_supplicant. + phase1="allow_canned_success=1 tls_disable_tlsv1_0=0" } |