Fixing TLS Connection Issues in Debian 10

11/27/18 - With Debian 10's release approaching, an important change to SSL configuration might affect you.

With Debian 10's release fast approaching, you might not know about a change that could affect functionality.

OpenSSL maintainer Kurt Roeckx modified OpenSSL's default configuration such that by default, only TLSv1.2 is used, due to security issues with TLS 1.0. This could break certain networks that use EAP-PEAP for authentication and do not support TLSv1.2. He did add a news item in the Debian documentation warning about this change, but I'm not sure many people will read it.

If you are administrator of your computer and have issues connecting to networks that use EAP-PEAP or certain old websites, do the following:

  1. Open a terminal.

  2. Enter sudo nano /etc/ssl/openssl.cnf (NOT .conf!) and enter your user password.

  3. A text editor will open. Go to the bottom of the file and you will see the line: MinProtocol: TLSv1.2

  4. Change it to MinProtocol: None.

  5. Reboot.

Your system should now work with older sites and networks. Keep in mind that this setting shouldn't be applied to a production server, as it can lead to security risks.