LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-03-2019, 08:08 PM   #16
gablek
LQ Newbie
 
Registered: Jan 2013
Location: Oregon, USA
Distribution: Slackware64-current
Posts: 9

Original Poster
Rep: Reputation: Disabled

After some reading, I've managed to get a version of wpa_supplicant-2.7 that works with my employer's WPA2-Enterprise setup. The most pertinent reference I saw were these two Debian bug reports:
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=907518
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=911297

My Slackware solution was as follows:
1. Download the testing/source/wpa_supplicant folder from -current.

2. Add the following Debian patch (in their source as allow-tlsv1.patch) and edit the SlackBuild to apply:
Code:
From: Andrej Shadura <andrewsh@debian.org>
Subject: Enable TLSv1.0 by default

OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
Some older networks may support for TLSv1.0 and less secure cyphers.

--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -988,6 +988,13 @@
                os_free(data);
                return NULL;
        }
+
+#ifndef EAP_SERVER_TLS
+       /* Enable TLSv1.0 by default to allow connecting to legacy
+        * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
+       SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
+#endif
+
        data->ssl = ssl;
        if (conf)
                data->tls_session_lifetime = conf->tls_session_lifetime;
3. Apply the following differences to config/dot.config:
Code:
--- dot.config.orig     2018-12-29 11:33:03.000000000 -0800
+++ dot.config  2019-01-03 10:28:19.728355270 -0800
@@ -32,7 +32,7 @@
 CONFIG_DRIVER_NL80211=y
 
 # QCA vendor extensions to nl80211
-#CONFIG_DRIVER_NL80211_QCA=y
+CONFIG_DRIVER_NL80211_QCA=y
 
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
@@ -310,25 +310,25 @@
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
-#CONFIG_TLS=openssl
+CONFIG_TLS=openssl
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
+CONFIG_TLSV11=y
 
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
-#CONFIG_TLSV12=y
+CONFIG_TLSV12=y
 
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1"
 
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
4. Run the SlackBuild, upgrade & reboot. Works with work (WPA2-Enterprise/PEAP/MSCHAPv2) and home (WPA2-PSK)

Caveats:
I don't have any way of knowing if this breaks anything else. I also have no idea if this opens some any vulnerabilities; that seemed to be some of the discussion in the Debian bug report. I also haven't explored whether all four of the dot.config changes are necessary; these seemed to be the minimal changes to Pat's file that might be appropriate. (The Debian config file has a whole lot of additional variables uncommented.) I know that without the dot.config changes, the source patch alone does not allow WPA2-Enterprise authentication.

I hope this helps those more skilled than I in finding the right fix for 2.7.

Last edited by gablek; 01-03-2019 at 08:10 PM.
 
1 members found this post helpful.
Old 01-07-2019, 05:15 AM   #17
lotar
LQ Newbie
 
Registered: Aug 2012
Location: Rome
Distribution: Slackware64 -current, CentOS
Posts: 12

Rep: Reputation: 21
I have installed wpa_supplicant-2.7 package present in testing directory (with allow-tlsv1.patch) and work fine in my company WPA2-Enterprise (with EAP-MSCHAPV2 authentication).

Thanks
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem: dbus variables not being exported since a few days ago (~2018-07-16). Lockywolf Slackware 2 07-17-2018 09:12 PM
LXer: The Difference Between Wi-Fi Security Protocols: WPA2-AES vs WPA2-TKIP LXer Syndicated Linux News 0 12-19-2014 01:36 AM
LXer: Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? LXer Syndicated Linux News 0 12-18-2014 07:47 PM
[SOLVED] Unable to connect to WPA2 Enterprise network, Mandriva 2010.2 Tank Jr Mandriva 3 03-07-2011 04:49 PM
Kmail error "Unable to Authenticate via. CRAM-MD5" Spreegem Debian 2 08-04-2005 01:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration