Comment 16 for bug 969343

I built a version of wpasupplicant_0.7.3-6ubuntu2 that works for me, by switching from openssl to gnutls.

I think wpasupplicant with openssl was offering 57 ciphers and with gnutls it was around 15. (I didn't write the numbers down and am having trouble getting it to regenerate the client hello message), so am not certain.

If wpa supplicant is building the list of ciphers from openssl for the client hello message, maybe it would also be possible disable some the rare ones? I tried some of the obvious things like -DOPENSSL_NO_RC2 -DOPENSSL_NO_DES, but later realised that was probably if you'd disabled those in openssl itself.

It looks like each cipher offered takes 2 bytes, and the failing openssl packet was 261 bytes, so you just need to get it below 255 bytes -- so remove 3 ciphers?

The patch I used to make it work, given the difficulties in getting acceptance for gnutls, I bet it'd cause other problems.

--- wpasupplicant-0.7.3/debian/config/linux 2012-03-13 16:11:24.000000000 -0700
+++ wpasupplicant-0.7.3.new/debian/config/linux 2012-04-06 13:26:03.230123515 -0700
@@ -33,5 +33,5 @@
 CONFIG_PEERKEY=y
 CONFIG_IEEE80211W=y
-CONFIG_TLS=openssl
+CONFIG_TLS=gnutls
 CONFIG_CTRL_IFACE_DBUS=y
 CONFIG_CTRL_IFACE_DBUS_NEW=y