jobcore/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch

32 lines
1.2 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Ralston <ralston@pobox.com>
Date: Sun, 1 May 2022 16:15:23 -0700
Subject: [PATCH] Allow legacy renegotiation to fix PEAP issues with some
servers
Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
---
src/crypto/tls_openssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index b27c238ec864..59a1b0d9b9c7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1114,6 +1114,16 @@ void * tls_init(const struct tls_config *conf)
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ /* Many enterprise PEAP server implementations (e.g. used in large
+ corporations and universities) do not support RFC5746 secure
+ renegotiation, and starting with OpenSSL 3.0,
+ SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
+ So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
+ only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
+ globally. */
+
+ SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+
SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
#ifdef SSL_MODE_NO_AUTO_CHAIN