Bug#1010603: Please include patch to allow legacy renegotiation with openssl3

Thu, 05 May 2022 03:33:17 -0700 

I forgot to attach the actual patch, there we go

diff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
--- wpa-2.10/debian/changelog	2022-04-09 09:28:35.000000000 +0200
+++ wpa-2.10/debian/changelog	2022-05-05 11:31:26.000000000 +0200
@@ -1,3 +1,11 @@
+wpa (2:2.10-9) unstable; urgency=medium
+
+  * debian/patches/allow-legacy-renegotiation.patch:
+    allow legacy renegotiation to fix PEAP issues with some servers
+    (Closes: #1010603)
+
+ -- Sebastien Bacher <seb...@ubuntu.com>  Thu, 05 May 2022 11:31:26 +0200
+
 wpa (2:2.10-8) unstable; urgency=medium
 
   * Pull the defconfig updates from the upstream’s Git.
diff -Nru wpa-2.10/debian/patches/allow-legacy-renegotiation.patch wpa-2.10/debian/patches/allow-legacy-renegotiation.patch
--- wpa-2.10/debian/patches/allow-legacy-renegotiation.patch	1970-01-01 01:00:00.000000000 +0100
+++ wpa-2.10/debian/patches/allow-legacy-renegotiation.patch	2022-05-05 11:31:26.000000000 +0200
@@ -0,0 +1,24 @@
+# Description: allow legacy renegotiation to fix PEAP issues with some servers
+# Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+#
+Index: wpa-2.10/src/crypto/tls_openssl.c
+===================================================================
+--- wpa-2.10.orig/src/crypto/tls_openssl.c
++++ wpa-2.10/src/crypto/tls_openssl.c
+@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++	/* Many enterprise PEAP server implementations (e.g. used in large
++	 corporations and universities) do not support RFC5746 secure
++	 renegotiation, and starting with OpenSSL 3.0,
++	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++	 globally. */
++
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
diff -Nru wpa-2.10/debian/patches/series wpa-2.10/debian/patches/series
--- wpa-2.10/debian/patches/series	2022-04-09 09:28:35.000000000 +0200
+++ wpa-2.10/debian/patches/series	2022-05-05 11:31:26.000000000 +0200
@@ -7,3 +7,4 @@
 manpage-replace-wheel-with-netdev.patch
 upstream-fixes/0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
 upstream-fixes/0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+allow-legacy-renegotiation.patch

Reply via email to