From: Andrej Shadura <andre...@debian.org>
This patch is not intended to be merged into the upstream code, but I
would still like to receive comments from people involved in development.
In the Debian bug reports #907518 and #911297 (see below), people complained
that OpenSSL 1.1.1 disables TLSv1.0 and some other insecure settings by
default, but some older networks may still require their support:
wpa_supplicant[523]: OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1 error
wpa_supplicant[523]: OpenSSL: pending error: error:140C800D:SSL
routines:SSL_use_certificate_file:ASN1 lib
wpa_supplicant[523]: OpenSSL: pending error: error:140C618E:SSL
routines:SSL_use_certificate:ca md too weak
wpa_supplicant[523]: TLS: Failed to set TLS connection parameters
wpa_supplicant[523]: EAP-TLS: Failed to initialize SSL.
wpa_supplicant[523]: wlp4s0: EAP: Failed to initialize EAP method: vendor 0
method 13 (TLS)
Some of those issues can be overrided by adding
openssl_ciphers=DEFAULT@SECLEVEL=1
to the wpa config, but e.g. Kurt Roeckx complained that the minimum TLS
version is still 1.2:
ssl_choose_client_version:version too low
Unlike ciphers, that cannot be overridden in the wpa config, since
tls_disable_tlsv1_0 only allows disabling TLS versions, not enabling
them back if the default version is too high. I intend to apply
the patch below to wpa in Debian, which will enable switching TLSv1.0
back if necessary by adding tls_disable_tlsv1_0=0 to the config.
As I don't possess much knowledge of OpenSSL, and I would like to avoid
a potential repeat of the weak security issue Debian had in the past,
I'd like people here to have a look and comment on this.
Thanks in advance.
Andrej
References:
[1]: https://bugs.debian.org/907518
[2]: https://bugs.debian.org/911297
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 0d5ebda..39994f7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2498,8 +2498,10 @@ static int tls_set_conn_flags(struct tls_connection
*conn, unsigned int flags,
#ifdef SSL_OP_NO_TLSv1
if (flags & TLS_CONN_DISABLE_TLSv1_0)
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
- else
+ else {
+ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
+ }
#endif /* SSL_OP_NO_TLSv1 */
#ifdef SSL_OP_NO_TLSv1_1
if (flags & TLS_CONN_DISABLE_TLSv1_1)
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 0de1315..d4fb454 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -151,6 +151,10 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
+
+ /* Debian change: disable TLSv1.0 by default but allow overriding it */
+ params->flags |= TLS_CONN_DISABLE_TLSv1_0;
+
if (sm->workaround && data->eap_type != EAP_TYPE_FAST) {
/*
* Some deployed authentication servers seem to be unable to
