[Pkg-openssl-devel] Bug#907888: Bug#907888: Bug#907888: openssl: Breaks wpa_supplicant (and NetworkManager) which fail with error "ee key too small"
Kurt Roeckx
kurt at roeckx.be
Wed Sep 5 22:32:10 BST 2018
On Tue, Sep 04, 2018 at 11:41:48AM +0200, Gianpaolo Cugola wrote:
>
> 1. Administrators of big organizations are usually reluctant to change
> their certificates
Can you at least try to contact them?
> 2. The suggested workaround works (thanks again) for wpa_supplicant but
> NetworkManager (which is used by most linux distros) cannot pass the
> "openssl_ciphers" flag to wpa_supplicant.
>
> On the other hand, starting from your suggestion, I found a workaround that
> changes the cipher globally. I report it below for other users.
>
> It is just a matter of editing file /etc/ssl/openssl.cnf changing last line
> from:
> CipherString = DEFAULT at SECLEVEL=2
> to
> CipherString = DEFAULT at SECLEVEL=1
>
> I know, this impact the global security of your linux box, but it was the
> standard up to August, when OpenSSL 1.1.1 was released, so it should not be
> a big problem for most users :-)
It would be best that you could specify this as specific as
needed, so per connection. So having support for that in
NetworkManager could be nice.
Kurt
More information about the Pkg-openssl-devel
mailing list