On Wed, 5 Sep 2018 14:57:59 -0700 Josh Triplett <j...@joshtriplett.org> wrote: > On Wed, Sep 05, 2018 at 11:48:56PM +0200, Kurt Roeckx wrote: > > The problem here is that the CA you're connecting to has an > > insecure certificate. You should talk to your administrator > > to generate stronger keys. > > I am aware of this, and I'm in the process of doing so. > > > The "ca md too weak" is because the certificate is probably using > > SHA-1, while it should move to SHA256. > > Is there a way I can easily get wpa_supplicant to log the full client > and server certificate chain, and flag which *specific* certificate in > that chain it has an issue with? I'm trying to present appropriate > information to get the wireless network infrastructure improved, and > unlike https I can't just use `openssl s_client` to get the details I > need. > > > This can be worked around by using this in your wpa config: > > openssl_ciphers=DEFAULT@SECLEVEL=1 > > I don't suppose you happen to know how I could do that for a > NetworkManager network configuration? > > > There is also an "ssl_choose_client_version:version too low" message. > > This is most likely caused by minimum TLS 1.2 version setting. I > > can't find a way in wpa to override the default. You will have to > > modify /etc/ssl/openssl.cnf and change: > > MinProtocol = TLSv1.2 > > to: > > MinProtocol = TLSv1 > > Good to know, thank you. > > > Note that you can also change the cipher string in that file, from > > CipherString = DEFAULT@SECLEVEL=2 > > to > > CipherString = DEFAULT@SECLEVEL=1 > > > > But I recommend that you do it in the wpa config file if you can > > instead, so that only the security of that connection is lowered. > > Ideally I'd like to do that for just the one network, yeah.
I’m unsure what can be done to help resolve this issue from the wpa side. -- Cheers, Andrej
