diff options
Diffstat (limited to 'testing/source/wpa_supplicant')
-rw-r--r-- | testing/source/wpa_supplicant/config/dot.config | 9 | ||||
-rw-r--r-- | testing/source/wpa_supplicant/patches/allow-tlsv1.patch | 22 | ||||
-rwxr-xr-x | testing/source/wpa_supplicant/wpa_supplicant.SlackBuild | 5 |
3 files changed, 31 insertions, 5 deletions
diff --git a/testing/source/wpa_supplicant/config/dot.config b/testing/source/wpa_supplicant/config/dot.config index 94871afd..966a98c2 100644 --- a/testing/source/wpa_supplicant/config/dot.config +++ b/testing/source/wpa_supplicant/config/dot.config @@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y CONFIG_DRIVER_NL80211=y # QCA vendor extensions to nl80211 -#CONFIG_DRIVER_NL80211_QCA=y +CONFIG_DRIVER_NL80211_QCA=y # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. @@ -310,14 +310,14 @@ CONFIG_IEEE80211W=y # internal = Internal TLSv1 implementation (experimental) # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template -#CONFIG_TLS=openssl +CONFIG_TLS=openssl # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. It should be noted that some existing TLS v1.0 -based # implementation may not be compatible with TLS v1.1 message (ClientHello is # sent prior to negotiating which version will be used) -#CONFIG_TLSV11=y +CONFIG_TLSV11=y # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) # can be enabled to enable use of stronger crypto algorithms. It should be @@ -328,7 +328,8 @@ CONFIG_IEEE80211W=y # Select which ciphers to use by default with OpenSSL if the user does not # specify them. -CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES" +#CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES" +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1" # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of diff --git a/testing/source/wpa_supplicant/patches/allow-tlsv1.patch b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch new file mode 100644 index 00000000..eb5fb781 --- /dev/null +++ b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch @@ -0,0 +1,22 @@ +From: Andrej Shadura <andrewsh@debian.org> +Subject: Enable TLSv1.0 by default + +OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. +Some older networks may support for TLSv1.0 and less secure cyphers. + +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -988,6 +988,13 @@ + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) + data->tls_session_lifetime = conf->tls_session_lifetime; diff --git a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild index c248c130..492ddb72 100755 --- a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild +++ b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=wpa_supplicant VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} SRCVERSION=$(printf $VERSION | tr _ -) @@ -92,6 +92,9 @@ zcat $CWD/patches/wpa_supplicant-gui-qt4.patch.gz | patch -p1 --verbose || exit zcat $CWD/patches/wpa_supplicant-quiet-scan-results-message.patch.gz | patch -p1 --verbose || exit 1 zcat $CWD/patches/wpa_supplicant-2.7-fix-undefined-remove-ie.patch.gz | patch -p1 --verbose || exit 1 +# Allow legacy tls to avoid breaking WPA2-Enterprise: +zcat $CWD/patches/allow-tlsv1.patch.gz | patch -p1 --verbose || exit 1 + cd wpa_supplicant # Create the configuration file for building wpa_supplicant: |