[Pkg-openssl-devel] Bug#911389: Bug#911389: libssl1.1: loss of WLAN connectivity after upgrading; it's not the library's job to disable TLSv1.0

Thorsten Glaser tg at mirbsd.de
Fri Oct 19 21:22:02 BST 2018 

Kurt Roeckx dixit:

>You know you can just enable TLS 1.0 and 1.1 again in various config
>files, including in your wpa config file for that specific connection?
>
>And that there are already open bugs about this issue?

No, I didn’t. But I researched it now (it’s news to me that openssl.cnf
is actually read by *all* users of the library now… since when is that?)
and, yes, changing these two lines makes WLAN work again.

>Anyway, get the radius server fixed instead.

That’s not generally possible.

In the specific case of the AP at $orkplace, it’s doable, but not my
department, and may take a while. But consider the other scenarios I
listed: at a customer’s site, or in distress. (I am not going to bo‐
ther our admins, although they’ve received a Cc of at least the ini‐
tial mail of this bugreport… X-Debbugs-Cc is broken and doesn’t send
followups any more, AFAICT, so perhaps only that one.) If you please
would step down from your cryptographic ideal world high horse, also
considering XKCD#538, and join us in the real world now…

I also think you did not understand that, in (perhaps also in others)
the case of WLAN connectivity is more important than security, as the
actual data connections all use SSL or SSH (or VPN) anyway. I’ve been
in a lucky place to never have needed export ciphers, but I’d connect
to a 40-bit DES-encrypted WLAN if the alternative was no network. Heh
even to an unencrypted one. (My WLAN at home is actually unencrypted,
but it’s only on when needed.)

At the a̲b̲s̲o̲l̲u̲t̲e̲ very least, the libssl1.1 package needs a NEWS.Debian
entry detailling these changes and the openssl.cnf way of getting the
more compatible behaviour back. That will be read by people while up‐
grading to the new version, and then they’ll know it’s in NEWS.Debian
on the local filesystem, and then, on the road, if needed, the change
can be done locally without need for further online research.

bye,
//mirabilos
-- 
When he found out that the m68k port was in a pretty bad shape, he did
not, like many before him, shrug and move on; instead, he took it upon
himself to start compiling things, just so he could compile his shell.
How's that for dedication. -- Wouter, about my Debian/m68k revival

More information about the Pkg-openssl-devel mailing list