Page MenuHomeVyOS Platform

EAP-TLS no longer allows TLSv1.0 after T4537, T4584
Closed, ResolvedPublicBUG

Description

My ISP's fiber ONT requires EAP-TLS with TLSv1.0 and it seems this stopped working after the wpa_supplicant upgrade for T4537 and T4584.

I suspect this is because Debian patches are currently being removed: https://github.com/vyos/vyos-build/blob/831846e744b63f71707a6b2ca27b10b32cef5d26/packages/hostap/build.sh#L19

and Debian has a patch that allows TLSv1.0 by default: https://salsa.debian.org/debian/wpa/-/blob/debian/2%252.10-9/debian/patches/allow-tlsv1.patch

Would it be possible to have the custom hostap package build include that specific patch?

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling-202208291850
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)