On Wed, Sep 05, 2018 at 11:48:56PM +0200, Kurt Roeckx wrote: > The problem here is that the CA you're connecting to has an > insecure certificate. You should talk to your administrator > to generate stronger keys.
I am aware of this, and I'm in the process of doing so. > The "ca md too weak" is because the certificate is probably using > SHA-1, while it should move to SHA256. Is there a way I can easily get wpa_supplicant to log the full client and server certificate chain, and flag which *specific* certificate in that chain it has an issue with? I'm trying to present appropriate information to get the wireless network infrastructure improved, and unlike https I can't just use `openssl s_client` to get the details I need. > This can be worked around by using this in your wpa config: > openssl_ciphers=DEFAULT@SECLEVEL=1 I don't suppose you happen to know how I could do that for a NetworkManager network configuration? > There is also an "ssl_choose_client_version:version too low" message. > This is most likely caused by minimum TLS 1.2 version setting. I > can't find a way in wpa to override the default. You will have to > modify /etc/ssl/openssl.cnf and change: > MinProtocol = TLSv1.2 > to: > MinProtocol = TLSv1 Good to know, thank you. > Note that you can also change the cipher string in that file, from > CipherString = DEFAULT@SECLEVEL=2 > to > CipherString = DEFAULT@SECLEVEL=1 > > But I recommend that you do it in the wpa config file if you can > instead, so that only the security of that connection is lowered. Ideally I'd like to do that for just the one network, yeah.