Bug#1010603: Please include patch to allow legacy renegotiation with openssl3

2022-05-05 Thread Sebastien Bacher 

I forgot to attach the actual patch, there we go
diff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
--- wpa-2.10/debian/changelog	2022-04-09 09:28:35.0 +0200
+++ wpa-2.10/debian/changelog	2022-05-05 11:31:26.0 +0200
@@ -1,3 +1,11 @@
+wpa (2:2.10-9) unstable; urgency=medium
+
+  * debian/patches/allow-legacy-renegotiation.patch:
+allow legacy renegotiation to fix PEAP issues with some servers
+(Closes: #1010603)
+
+ -- Sebastien Bacher   Thu, 05 May 2022 11:31:26 +0200
+
 wpa (2:2.10-8) unstable; urgency=medium
 
   * Pull the defconfig updates from the upstream’s Git.
diff -Nru wpa-2.10/debian/patches/allow-legacy-renegotiation.patch wpa-2.10/debian/patches/allow-legacy-renegotiation.patch
--- wpa-2.10/debian/patches/allow-legacy-renegotiation.patch	1970-01-01 01:00:00.0 +0100
+++ wpa-2.10/debian/patches/allow-legacy-renegotiation.patch	2022-05-05 11:31:26.0 +0200
@@ -0,0 +1,24 @@
+# Description: allow legacy renegotiation to fix PEAP issues with some servers
+# Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+#
+Index: wpa-2.10/src/crypto/tls_openssl.c
+===
+--- wpa-2.10.orig/src/crypto/tls_openssl.c
 wpa-2.10/src/crypto/tls_openssl.c
+@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++	/* Many enterprise PEAP server implementations (e.g. used in large
++	 corporations and universities) do not support RFC5746 secure
++	 renegotiation, and starting with OpenSSL 3.0,
++	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++	 globally. */
++
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
diff -Nru wpa-2.10/debian/patches/series wpa-2.10/debian/patches/series
--- wpa-2.10/debian/patches/series	2022-04-09 09:28:35.0 +0200
+++ wpa-2.10/debian/patches/series	2022-05-05 11:31:26.0 +0200
@@ -7,3 +7,4 @@
 manpage-replace-wheel-with-netdev.patch
 upstream-fixes/0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
 upstream-fixes/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+allow-legacy-renegotiation.patch

Bug#1010603: Please include patch to allow legacy renegotiation with openssl3

2022-05-05 Thread Sebastien Bacher 

Package: wpa
Version: 2.10-8
Severity: wishlist

Building with openssl3 creates issues to connect to some access points, 
one suggested workaround is to allow legacy renegociation, details are 
on http://lists.infradead.org/pipermail/hostap/2022-May/040511.html


Currently Fedora and Ubuntu include that patch. Debian didn't transition 
to openssl3 yet but eventually would need it. It would be nice if you 
could already include the change, it shouldn't create any issue for 
Debian, will avoid surprises if rebuilt with openssl3 and would allow 
Ubuntu to be back in sync


Thanks for considering