summaryrefslogtreecommitdiff
path: root/testing/source
diff options
context:
space:
mode:
Diffstat (limited to 'testing/source')
-rw-r--r--testing/source/wpa_supplicant/config/dot.config9
-rw-r--r--testing/source/wpa_supplicant/patches/allow-tlsv1.patch22
-rwxr-xr-xtesting/source/wpa_supplicant/wpa_supplicant.SlackBuild5
3 files changed, 31 insertions, 5 deletions
diff --git a/testing/source/wpa_supplicant/config/dot.config b/testing/source/wpa_supplicant/config/dot.config
index 94871afd..966a98c2 100644
--- a/testing/source/wpa_supplicant/config/dot.config
+++ b/testing/source/wpa_supplicant/config/dot.config
@@ -32,7 +32,7 @@ CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
@@ -310,14 +310,14 @@ CONFIG_IEEE80211W=y
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used. It should be noted that some existing TLS v1.0 -based
# implementation may not be compatible with TLS v1.1 message (ClientHello is
# sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
@@ -328,7 +328,8 @@ CONFIG_IEEE80211W=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+#CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
diff --git a/testing/source/wpa_supplicant/patches/allow-tlsv1.patch b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
new file mode 100644
index 00000000..eb5fb781
--- /dev/null
+++ b/testing/source/wpa_supplicant/patches/allow-tlsv1.patch
@@ -0,0 +1,22 @@
+From: Andrej Shadura <andrewsh@debian.org>
+Subject: Enable TLSv1.0 by default
+
+OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
+Some older networks may support for TLSv1.0 and less secure cyphers.
+
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -988,6 +988,13 @@
+ os_free(data);
+ return NULL;
+ }
++
++#ifndef EAP_SERVER_TLS
++ /* Enable TLSv1.0 by default to allow connecting to legacy
++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
++#endif
++
+ data->ssl = ssl;
+ if (conf)
+ data->tls_session_lifetime = conf->tls_session_lifetime;
diff --git a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
index c248c130..492ddb72 100755
--- a/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
+++ b/testing/source/wpa_supplicant/wpa_supplicant.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=wpa_supplicant
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
SRCVERSION=$(printf $VERSION | tr _ -)
@@ -92,6 +92,9 @@ zcat $CWD/patches/wpa_supplicant-gui-qt4.patch.gz | patch -p1 --verbose || exit
zcat $CWD/patches/wpa_supplicant-quiet-scan-results-message.patch.gz | patch -p1 --verbose || exit 1
zcat $CWD/patches/wpa_supplicant-2.7-fix-undefined-remove-ie.patch.gz | patch -p1 --verbose || exit 1
+# Allow legacy tls to avoid breaking WPA2-Enterprise:
+zcat $CWD/patches/allow-tlsv1.patch.gz | patch -p1 --verbose || exit 1
+
cd wpa_supplicant
# Create the configuration file for building wpa_supplicant: