eapol: T5151: Allow TLSv1.0/1.1 for EAP-TLS

The Debian 12 upgrade in T5003 caused a regression for connecting to
legacy networks that only support TLSv1.0/1.1 for EAP-TLS. Debian allows
this by default in their wpa_supplicant package, but their
`allow-tlsv1.patch` patch does not work properly with VyOS' newer
wpa_supplicant package, which is based on the latest code in git. As a
result, wpa_supplicant always respects the system-wide openssl crypto
policy, disallowing TLSv1. The commit uses the documented way of
allowing TLSv1, which takes precedence over the system crypto policy.

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index 8f140f6cb..cd35d6d1e 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -67,6 +67,11 @@ network={
     # discards such frames to protect against potential attacks by rogue
     # devices, but this option can be used to disable that protection for cases
     # where the server/authenticator does not need to be authenticated.
-    phase1="allow_canned_success=1"
+    #
+    # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
+    # legacy networks. This follows the behavior of Debian's wpa_supplicant,
+    # which includes a custom patch for allowing TLSv1, but the patch currently
+    # does not work for VyOS' git builds of wpa_supplicant.
+    phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }