On Tue, Sep 04, 2018 at 11:41:48AM +0200, Gianpaolo Cugola wrote: > > 1. Administrators of big organizations are usually reluctant to change > their certificates
Can you at least try to contact them? > 2. The suggested workaround works (thanks again) for wpa_supplicant but > NetworkManager (which is used by most linux distros) cannot pass the > "openssl_ciphers" flag to wpa_supplicant. > > On the other hand, starting from your suggestion, I found a workaround that > changes the cipher globally. I report it below for other users. > > It is just a matter of editing file /etc/ssl/openssl.cnf changing last line > from: > CipherString = DEFAULT@SECLEVEL=2 > to > CipherString = DEFAULT@SECLEVEL=1 > > I know, this impact the global security of your linux box, but it was the > standard up to August, when OpenSSL 1.1.1 was released, so it should not be > a big problem for most users :-) It would be best that you could specify this as specific as needed, so per connection. So having support for that in NetworkManager could be nice. Kurt