wpa_supplicant/repos/core-x86_64/wpa_supplicant_tls.patch

   1 From: Andrej Shadura <andrewsh@debian.org>
   2 Date: Sat, 15 Dec 2018 14:19:22 +0100
   3 Subject: Enable TLSv1.0 by default
   4
   5 OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
   6 Some older networks may support for TLSv1.0 and less secure cyphers.
   7 ---
   8  src/crypto/tls_openssl.c | 7 +++++++
   9  1 file changed, 7 insertions(+)
  10
  11 diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
  12 index c9e00b3..273e5cb 100644
  13 --- a/src/crypto/tls_openssl.c
  14 +++ b/src/crypto/tls_openssl.c
  15 @@ -1040,6 +1040,13 @@ void * tls_init(const struct tls_config *conf)
  16                 os_free(data);
  17                 return NULL;
  18         }
  19 +
  20 +#ifndef EAP_SERVER_TLS
  21 +       /* Enable TLSv1.0 by default to allow connecting to legacy
  22 +        * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
  23 +       SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
  24 +#endif
  25 +
  26         data->ssl = ssl;
  27         if (conf) {
  28                 data->tls_session_lifetime = conf->tls_session_lifetime;