On 2023/10/03 21:48, Stuart Henderson wrote:
> oops, rpath also needed, new diff
you'll also need this in the network={ ... } section of your config
(openssl rejects TLSv1.0 by default but allows it to be reenabled)
openssl_ciphers="DEFAULT@SECLEVEL=0"
I was able to run eapol_test against a server reconfigured to permit
1.0 with the above, plus the following to disable newer TLS
phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1
tls_disable_tlsv1_3=1"
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
> retrieving revision 1.53
> diff -u -p -r1.53 Makefile
> --- Makefile 27 Sep 2023 16:34:38 -0000 1.53
> +++ Makefile 3 Oct 2023 20:48:14 -0000
> @@ -1,7 +1,7 @@
> COMMENT= IEEE 802.1X supplicant
>
> DISTNAME= wpa_supplicant-2.9
> -REVISION= 2
> +REVISION= 3
> CATEGORIES= security net
>
> HOMEPAGE= https://w1.fi/wpa_supplicant/
> @@ -9,7 +9,7 @@ HOMEPAGE= https://w1.fi/wpa_supplicant/
> # BSD
> PERMIT_PACKAGE= Yes
>
> -WANTLIB += c ssl crypto pcap pcsclite pthread
> +WANTLIB += c pcap pcsclite pthread
>
> LIB_DEPENDS= security/pcsc-lite
>
> @@ -18,7 +18,24 @@ SITES= https://w1.fi/releases/
> USE_GMAKE= Yes
> NO_TEST= Yes
> MAKE_FLAGS= V=1
> -MAKE_ENV= CFLAGS="${CFLAGS}" CC="${CC}"
> +MAKE_ENV= CC="${CC}" \
> + CFLAGS="${CFLAGS}" \
> + LIBS="-L${LOCALBASE}/lib ${LIBS}"
> +
> +FLAVORS= openssl
> +FLAVOR?=
> +
> +CFLAGS+= -I${LOCALBASE}/include/PCSC
> +
> +.if ${FLAVOR:Mopenssl}
> +LIB_DEPENDS += security/openssl/3.1
> +CFLAGS += -Wno-deprecated-declarations -I${LOCALBASE}/include/eopenssl31
> +LIBS += -Wl,-rpath ${LOCALBASE}/lib/eopenssl31
> -L${LOCALBASE}/lib/eopenssl31
> +# -lssl -lcrypto
> +WANTLIB += lib/eopenssl31/crypto lib/eopenssl31/ssl
> +.else
> +WANTLIB += crypto ssl
> +.endif
>
> WRKSRC= ${WRKDIST}/wpa_supplicant
>
>
