User avatar
algorithm
Posts: 173
Joined: Mon Nov 25, 2013 9:09 pm
Location: Flatland

wpasupplicant update?

Tue Mar 05, 2019 6:41 pm

What sort of update is this that downgrades the cypher & security level?

Code: Select all

wpasupplicant (2:2.6-19) unstable; urgency=medium

  With this release, wpasupplicant no longer respects the system
  default minimum TLS version, defaulting to TLSv1.0, not TLSv1.2. If
  you're sure you will never connect to EAP networks requiring anything less
  than 1.2, add this to your wpasupplicant configuration:

    tls_disable_tlsv1_0=1
    tls_disable_tlsv1_1=1

  wpasupplicant also defaults to a security level 1, instead of the system
  default 2. Should you need to change that, change this setting in your
  wpasupplicant configuration:

    [email protected]=2

  Unlike wpasupplicant, hostapd still respects system defaults.

 -- Andrej Shadura <[email protected]>  Sat, 15 Dec 2018 14:22:18 +0100

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5611
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: wpasupplicant update?

Tue Mar 05, 2019 6:51 pm

This looks like the relevant discussion:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=911297

I haven't looked at it too closely. We just backported the buster version to stretch, to fix issues people reported with wpa_supplicant and hostapd.

User avatar
algorithm
Posts: 173
Joined: Mon Nov 25, 2013 9:09 pm
Location: Flatland

Re: wpasupplicant update?

Tue Mar 05, 2019 7:17 pm

Thanks. What a mess. I'll have to check if the eduroam network I use sometimes does indeed require tlsv1.0 and level=1.

jpgview
Posts: 8
Joined: Fri Feb 03, 2017 11:07 am

Re: wpasupplicant update?

Wed Mar 06, 2019 7:03 pm

Is the following a correct assumption?

In order to restore the original security settings, you need to add the following to /etc/wpa_supplicant/wpa_supplicant.conf

tls_disable_tlsv1_0=1
tls_disable_tlsv1_1=1
[email protected]=2

The file (my Raspbian configuration - latest version November 2018) already contains the following entries:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

How do you apply these modified settings? Reboot? Is there a command that activates the new settings, provided the settings are indeed correct?

Thanks for your time and effort.

User avatar
algorithm
Posts: 173
Joined: Mon Nov 25, 2013 9:09 pm
Location: Flatland

Re: wpasupplicant update?

Wed Mar 06, 2019 7:42 pm

That was my interpretation, too, yes. However, make sure to try it first with a non-headless Pi (screen and keyboard/mouse connected) because for some reason these changes after reboot left my Pi3+ unable to connect to my home network... Very strange, because my router is less than a year old and I'm sure it implements tls1.2. I thought this was only an issue with very old equipment or PEAP authentication company networks stuck in legacy mode. Faulty implementation of the fix, perhaps.

jpgview
Posts: 8
Joined: Fri Feb 03, 2017 11:07 am

Re: wpasupplicant update?

Wed Mar 06, 2019 7:48 pm

Apparently, this is being discussed here (https://www.raspberrypi.org/forums/view ... p?t=235128)

It looks like adding the new settings wasn't very successful for this user.

Meanwhile, I've added the settings to /etc/wpa_supplicant/wpa_supplicant.conf and rebooted. No problems sofar, but I made sure to connect to the pi, using ethernet (wired).

Still would like to know if adding the settings restore the security level.

Milliways
Posts: 386
Joined: Fri Apr 25, 2014 12:18 am
Location: Sydney, Australia

Re: wpasupplicant update?

Sat Mar 09, 2019 5:02 am

ShiftPlusOne wrote:
Tue Mar 05, 2019 6:51 pm
This looks like the relevant discussion:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=911297

I haven't looked at it too closely. We just backported the buster version to stretch, to fix issues people reported with wpa_supplicant and hostapd.
I just updated Raspbian and didn't see this BUT I got the following - this broke hostapd, and it seems to require manual enabling

NOTE I had a valid /etc/hostapd/hostapd.conf and a working installation prior to "upgrade" based on https://www.raspberrypi.org/documentati ... s-point.md

Code: Select all

apt-listchanges: News
---------------------

wpa (2:2.6-10) unstable; urgency=medium

  The hostapd .service file is now automatically masked every time the
  package is upgraded with no valid configuration.

  The plan is to deprecate /etc/default/hostapd at some point, making
  /etc/hostapd/hostapd.conf the standard location for the configuration
  file.

 -- Andrew Shadura <[email protected]>  Tue, 28 Nov 2017 12:29:21 +0100

wpa (2:2.6-8) unstable; urgency=medium

  Since 2:2.6-6, hostapd ships a systemd .service file. As hostapd comes
  with /etc/default/hostapd file, which by default doesn't specify any
  config file, to prevent installation or boot failures, the package's
  postinst script masks the hostapd.service unit on the first install.
  After editing the default file, users need to unmask it themselves.

 -- Andrew Shadura <[email protected]>  Sun, 26 Nov 2017 19:25:50 +0000

eehmke
Posts: 5
Joined: Wed Jan 30, 2013 4:11 pm

Re: wpasupplicant update?

Mon Mar 11, 2019 2:19 pm

I was too fast and added the suggested lines

Code: Select all

tls_disable_tlsv1_0=1
tls_disable_tlsv1_1=1
on my headless pi. Now it is not accessible anymore, and I have to drive 80+ km and climb onto a roof to get the sd card. Should I just remove those lines, or what is a safe way to make it work?

gkaiseril
Posts: 552
Joined: Mon Aug 08, 2016 9:27 pm
Location: Chicago, IL

Re: wpasupplicant update?

Mon Mar 11, 2019 6:44 pm

That happened to me and I removed the lines. I still get the warning but updating, upgrading and internet work.

When running some perl programs like cowsay I also see the following waring.

Code: Select all

$ cowsay moo
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
$
I seem to have fixed both my issues by changing the locale setting using rpi-config and forcing a reboot of the system. I changed languages and timezone and then set the back to the desired settings. This forced a reboot of the system.

eehmke
Posts: 5
Joined: Wed Jan 30, 2013 4:11 pm

Re: wpasupplicant update?

Tue Mar 12, 2019 11:30 am

I did a test on a similar system and found this lines in the system log:

Code: Select all

unknown global field 'tls_disable_tlsv1_0=1
So wpa_supplicant failed to start because of unknown lines in the config files. Seems something is broken, or where are these lines supposed to be? I have them in /etc/wpa_supplicant/wpa_supplicant.conf. For now, I comment them out.

User avatar
Paeryn
Posts: 2472
Joined: Wed Nov 23, 2011 1:10 am
Location: Sheffield, England

Re: wpasupplicant update?

Tue Mar 12, 2019 4:05 pm

eehmke wrote:
Tue Mar 12, 2019 11:30 am
I did a test on a similar system and found this lines in the system log:

Code: Select all

unknown global field 'tls_disable_tlsv1_0=1
So wpa_supplicant failed to start because of unknown lines in the config files. Seems something is broken, or where are these lines supposed to be? I have them in /etc/wpa_supplicant/wpa_supplicant.conf. For now, I comment them out.
According to the example conf, inside each network block as part of the phase1 parameters (the example conf says it can be used in phase2 as well)

Code: Select all

network={
        ssid="myssid"
        psk="passkey"
        phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1"
}
She who travels light — forgot something.

Return to “Raspbian”