> > ------- Original Message -------
> > On Friday, October 6th, 2023 at 4:53 PM, Stuart Henderson stu@spacehopper.org wrote:
> >
> > > On 2023/10/06 20:36, haywirrr wrote:
> > >
> > > > > ...
> > > > > hmm - it's not ideal to use OpenSSL 1.1 any more because security
> > > > > updates from the old branches are now only available to paying customers...
> > > > >
> > > > > There could well be something else in the changes between wpa_supplicant
> > > > > 2.9 and 2.10 that will help with OpenSSL 3.x, but there have been other
> > > > > changes which mean that src/drivers/driver_openbsd.c no longer compiles,
> > > > > and I don't know how to fix that.
> > > >
> > > > Hi Stuart,
> > > >
> > > > I understand that using the old version of OpenSSL is not ideal.
> > > > Unfortunately, this is my only option without moving to an entirely
> > > > different platform, i.e. FreeBSD (which I may be forced into doing).
> > >
> > > Well, you have the diff and can use it if you want, but I don't really
> > > want to commit that to ports.
> > >
> > > > Who would I need to ask about getting wpa_supplicant updated to the
> > > > latest version? Also, there's a patch available for FreeBSD that allows
> > >
> > > I've tried updating and have merged the various patches, but the openbsd
> > > code that's part of the distribution no longer builds. So it'll need
> > > someone with enough interest and time and reason to look at it. The only
> > > reason anyone has asked for this so far is to use a security protocol
> > > that was replaced (by a much improved version) in 2008 which tbh is not
> > > particularly compelling.
> > >
> > > (If anyone wants to do that feel free to ask for a diff for the boring
> > > parts).
> > >
> > > > wpa_supplicant to interface directly with VLAN 0 (see the link below),
> > > > how would I ask about getting that incorporated into the OpenBSD port
> > > > of wpa_supplicant? I am thinking the answer might be to start a new
> > > > thread and see if anyone replies...
> > > >
> > > > https://reviews.freebsd.org/D40442
> > >
> > > Does that actually need anything from wpa_supplicant, have you tried
> > > running it on a vlan interface set to id 0 (which js the standard way to
> > > do that)?
> >
> > Hi Stuart,
> >
> > That is actually how I am currently working with wpa_supplicant, I use
> > a hostname.vlan0 interface along with the application to authenticate.
> > I was just thinking this might negate the need for the interface
> > declaration and make things a little cleaner.
> >
> > Should the question then be would it be possible to incorporate 802.1X
> > authentication into a hostname.if? I have no idea what that would take.
>
>
> Hi Stuart,
>
> I was able to get wpa_supplicant working with OpenSSL 3.0/3.1 after
> applying the following 5 patches:
>
> Allow use of TLS 1.0 and renegotiation - patch 1/5
>
> Index: src/ap/authsrv.c
> --- src/ap/authsrv.cc.orig
> +++ src/ap/authsrv.c
> @@ -188,6 +188,9 @@
> wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
> data->alert.description);
>
> break;
> + case TLS_UNSAFE_RENEGOTIATION_DISABLED:
> + /* Not applicable to TLS server /
> + break;
> }
> }
>
No comments:
Post a Comment