33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: James Ralston <ralston@pobox.com>
|
|
Date: Sun, 1 May 2022 16:15:23 -0700
|
|
Subject: [PATCH] Allow legacy renegotiation to fix PEAP issues with some
|
|
servers
|
|
|
|
Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
|
|
---
|
|
src/crypto/tls_openssl.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
index 273e5cbc6093..ad3aa1a7a7bb 100644
|
|
--- a/src/crypto/tls_openssl.c
|
|
+++ b/src/crypto/tls_openssl.c
|
|
@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf)
|
|
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
|
|
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
|
|
|
|
+ /* Many enterprise PEAP server implementations (e.g. used in large
|
|
+ corporations and universities) do not support RFC5746 secure
|
|
+ renegotiation, and starting with OpenSSL 3.0,
|
|
+ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
|
|
+ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
|
|
+ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
|
|
+ globally. */
|
|
+
|
|
+ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
|
|
+
|
|
SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
|
|
|
|
#ifdef SSL_MODE_NO_AUTO_CHAIN
|