Skip to content

802.1x: openssl_ciphers setting (wpa_supplicant)

Tomáš Ebenlendr requested to merge ebikt/NetworkManager:8021x-openssl-ciphers into main

Summary

Allow user to specify TLS ciphers for wpa_supplicant in 802.1x.

Purpose

  • Some old RADIUS servers support only ciphers that were recently moved to DEFAULT@SECLEVEL=0 in openssl.
  • Debian based distributions compile wpa_supplicant with default cipher string DEFAULT@SECLEVEL=1, which is good thing in general.

This patch aims to allow to connect to networks with old radius servers while not compromising security on other networks.

Patch was successfully tested on current debian testing against Windows 2008 radius servers (patch applied to network manager version 1.44).

Disclaimers

Patch is targeted only at wpa_supplicant because that 802.1x implementation is used in debian and because I do not have access to test other implementations.

Redhat settings conversion is provided without testing (I do not use any redhat-based distribution).

I also added support for this config to nmtui, so that user can edit their connections to old radius servers at least there, because I do not expect graphical user interfaces to incorporate this change (soon).

Checklist

Please read https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/CONTRIBUTING.md before opening the merge request. In particular, check that:

  • the subject for all commits is concise and explicative

  • the message for all commits explains the reason for the change

  • the source is properly formatted

  • any relevant documentation is up to date

  • you have added unit tests if applicable

Above ticks are intentionally not checked. This is just proposal of solution.

  • I do not fully understand buildprocess of NetworkManager, so I did some cargo-cult changes, so that it fits surrounding code.
  • I did not studied coding standards of NetworkManager, although I tried to use similar coding style as surrounding code
  • There is also another solution, namely add "free form" configuration field where advanced user may specify multiple wpasupplicant options (that cannot be changed by current NetworkManager's 802.1x configuration options)
Edited by Tomáš Ebenlendr

Merge request reports