Kurt Roeckx dixit: >You know you can just enable TLS 1.0 and 1.1 again in various config >files, including in your wpa config file for that specific connection? > >And that there are already open bugs about this issue?
No, I didn’t. But I researched it now (it’s news to me that openssl.cnf is actually read by *all* users of the library now… since when is that?) and, yes, changing these two lines makes WLAN work again. >Anyway, get the radius server fixed instead. That’s not generally possible. In the specific case of the AP at $orkplace, it’s doable, but not my department, and may take a while. But consider the other scenarios I listed: at a customer’s site, or in distress. (I am not going to bo‐ ther our admins, although they’ve received a Cc of at least the ini‐ tial mail of this bugreport… X-Debbugs-Cc is broken and doesn’t send followups any more, AFAICT, so perhaps only that one.) If you please would step down from your cryptographic ideal world high horse, also considering XKCD#538, and join us in the real world now… I also think you did not understand that, in (perhaps also in others) the case of WLAN connectivity is more important than security, as the actual data connections all use SSL or SSH (or VPN) anyway. I’ve been in a lucky place to never have needed export ciphers, but I’d connect to a 40-bit DES-encrypted WLAN if the alternative was no network. Heh even to an unencrypted one. (My WLAN at home is actually unencrypted, but it’s only on when needed.) At the a̲b̲s̲o̲l̲u̲t̲e̲ very least, the libssl1.1 package needs a NEWS.Debian entry detailling these changes and the openssl.cnf way of getting the more compatible behaviour back. That will be read by people while up‐ grading to the new version, and then they’ll know it’s in NEWS.Debian on the local filesystem, and then, on the road, if needed, the change can be done locally without need for further online research. bye, //mirabilos -- When he found out that the m68k port was in a pretty bad shape, he did not, like many before him, shrug and move on; instead, he took it upon himself to start compiling things, just so he could compile his shell. How's that for dedication. -- Wouter, about my Debian/m68k revival
