On Fri, 16 Nov 2018 at 09:36, Sam Morris <s...@robots.org.uk> wrote: > > Package: wpasupplicant > Version: 2:2.4-1+deb9u1 > Followup-For: Bug #911297 > > See /usr/share/doc/libssl1.1/NEWS.Debian.gz and try editing the end of > /etc/ssl/openssl.cnf: > > MinProtocol = None > CipherString = DEFAULT > > I believe OpenSSL clients can call SSL_CONF_cmd(3ssl) in order to > change the new defaults (TLSv1.2, security level 2) back to something > more permissive. wpasupplicant should probably be doing this because > enterprise networks are not going to upgrade to anything as new as > TLSv1.2 (2008) overnight. > > For bonus points, the minimum TLS version and CipherString could be > exposed in NetworkManager's GUI and passed down to wpasupplicant, but > that's way too much work given that we're about to freeze for buster!
This bug seems to be a dup for #907518. There’s a user-configurable setting for wpa_supplicant already, and I’m not sure it’s a very good idea to make this a default. -- Cheers, Andrej
