After T5003, wpa_supplicant can no longer connect to legacy networks that use TLSv1.0/1.1. This differs from vanilla Debian 12 behavior and breaks compatibility with some ISPs' (crappy) fiber ONTs that unfortunately will likely never be upgraded to use secure crypto.
The regression is caused by the following changes:
- Debian 12 upgraded openssl to 3.0, which no longer allows legacy renegotiation by default (SSL_OP_LEGACY_SERVER_CONNECT flag). Debian's wpa_supplicant includes allow-legacy-renegotiation.patch, which we can add to VyOS' custom wpa_supplicant package since it applies cleanly.
- VyOS' wpa_supplicant was upgraded to a newer git commit (6b9c86466), which is not fully compatible with Debian's allow-tlsv1.patch for allowing TLSv1 by default. As a result, wpa_supplicant only respects the system-wide openssl crypto policy, which disables TLSv1. This can be fixed by adding tls_disable_tlsv1_0=0 to the phase1 config in wpa_supplicant.conf, which is documented to have higher priority than the system crypto policy.
With these two fixes implemented, the behavior in VyOS matches vanilla Debian 12 (wpa_supplicant 2.10). I'll open a couple PRs to get these implemented.