[Pkg-openssl-devel] Bug#907888: Bug#907888: openssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small"

Gianpaolo Cugola gianpaoloc at gmail.com
Tue Sep 4 10:41:48 BST 2018


On Mon, 3 Sep 2018 22:24:29 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> The fix it to tell your administrator to use 2048 (or more) bit
> keys. I assume there are certificates on both sides, so they both
> need to get replaced.
>
> You can work around this issue by putting something like this in
> your config file:
> openssl_ciphers=DEFAULT at SECLEVEL=1

Dear kurt, thanks a lot for the quick reply. Unfortunately:

1. Administrators of big organizations are usually reluctant to change
their certificates
2. The suggested workaround works (thanks again) for wpa_supplicant but
NetworkManager (which is used by most linux distros) cannot pass the
"openssl_ciphers" flag to wpa_supplicant.

On the other hand, starting from your suggestion, I found a workaround that
changes the cipher globally. I report it below for other users.

It is just a matter of editing file /etc/ssl/openssl.cnf changing last line
from:
CipherString = DEFAULT at SECLEVEL=2
to
CipherString = DEFAULT at SECLEVEL=1

I know, this impact the global security of your linux box, but it was the
standard up to August, when OpenSSL 1.1.1 was released, so it should not be
a big problem for most users :-)

  Gianpaolo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20180904/cb1176fd/attachment.html>


More information about the Pkg-openssl-devel mailing list