Tuesday, October 03, 2023

Re: Support for TLS 1.0 in recent wpa_supplicant builds

On 2023/10/03 19:17, haywirrr wrote:
> It would seem that the latest snapshot version of wpa_supplicant was
> compiled using a version of LibreSSL that does not support TLS 1.0.
> While this doesn't surprise me, my ISP requires 802.1X authentication
> and only TLS 1.0 is available.
>
> I attempted to build wpa_supplicant from ports using LibreSSL 3.7.3
> but I am running into build errors along the way. I am hoping that
> someone may be able to point me in the right direction in terms of
> the correct compilation flags, or perhaps suggest a different 802.1X
> client.

OpenBSD only uses the standard version of LibreSSL from the base
OS, which no longer allows setting TLS 1.0 or 1.1.

You could try this, which allows building with OpenSSL instead.
Set "FLAVOR=openssl" on the command line when building (e.g.
'pkg_delete wpa_supplicant; FLAVOR=openssl make install').

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v
retrieving revision 1.53
diff -u -p -r1.53 Makefile
--- Makefile 27 Sep 2023 16:34:38 -0000 1.53
+++ Makefile 3 Oct 2023 20:12:52 -0000
@@ -1,7 +1,7 @@
COMMENT= IEEE 802.1X supplicant

DISTNAME= wpa_supplicant-2.9
-REVISION= 2
+REVISION= 3
CATEGORIES= security net

HOMEPAGE= https://w1.fi/wpa_supplicant/
@@ -9,7 +9,7 @@ HOMEPAGE= https://w1.fi/wpa_supplicant/
# BSD
PERMIT_PACKAGE= Yes

-WANTLIB += c ssl crypto pcap pcsclite pthread
+WANTLIB += c pcap pcsclite pthread

LIB_DEPENDS= security/pcsc-lite

@@ -18,7 +18,24 @@ SITES= https://w1.fi/releases/
USE_GMAKE= Yes
NO_TEST= Yes
MAKE_FLAGS= V=1
-MAKE_ENV= CFLAGS="${CFLAGS}" CC="${CC}"
+MAKE_ENV= CC="${CC}" \
+ CFLAGS="${CFLAGS}" \
+ LIBS="-L${LOCALBASE}/lib ${LIBS}"
+
+FLAVORS= openssl
+FLAVOR?=
+
+CFLAGS+= -I${LOCALBASE}/include/PCSC
+
+.if ${FLAVOR:Mopenssl}
+LIB_DEPENDS += security/openssl/3.1
+CFLAGS += -Wno-deprecated-declarations -I${LOCALBASE}/include/eopenssl31
+LIBS += -L${LOCALBASE}/lib/eopenssl31
+# -lssl -lcrypto
+WANTLIB += lib/eopenssl31/crypto lib/eopenssl31/ssl
+.else
+WANTLIB += crypto ssl
+.endif

WRKSRC= ${WRKDIST}/wpa_supplicant

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)