Recently Debian upgraded the minimum protocol version for TLS to TLSv1.2 and things broke. I’m not pointing my finger but the screen of my pc is not filled with kittens so this is obvioulsy a problem.

The eduroam network at my uni is “old-fashioned” and does not support anything newer than TLSv1.1 so how I am getting back on the internet? I miss dank memes and cats already.

In an amazing feat of patience I scoured the internet for solutions

  1. hold back the libssl1.1 package until things are not broke anymore (AHAHAH)
  2. change the minimum TLS protocol version system wide (urgh)
  3. find a way to provide wpa_supplicant with the TLS protocol to use

Obviously it was not clear if option 3 could be the solution or even if it was at all implemented. Moreover I don’t directly use wpa_supplicant but rely on NetworkManager so it was definitely less than clear what would have to happen.

Unexpectedly I landed on the right sequence of pages 1, 2 and 3 and now I can try if this magic option for wpa_supplicant will do the trick.

We have to specify this phase1="tls_disable_tlsv1_2=1" in the configuration that wpa_supplicant will receive but I don’t want to leave the comfort area of NetworkManager.

Obviously the option is not available from the NetworkManager UI in Gnome but this will not set us back, dank memes and cats are out there!

$ nmcli connection edit eduroam
> set 802-1x.phase1-auth-flags tls-1-2-disable
> save
> exit

DAMMIT! I still can’t connect but openssl is not screaming at me anymore. Time to talk to the technical service, please send photos of kittens and dank memes by slow-mail.