Because I keep forgetting on how to properly set this up, I’ll just write it here, so I’ll have easy access in the future (and can provide the guide to my fellow students).

Things I will use to configure the access:

  • NetworkManager
  • wpa_supplicant
  • OpenSSL

First, we have to configure the parameters so openssl is allowed to use TLS 1.0 (yes, using this TLS version nowadays is a dumb idea), and since we want to avoid compromising the security of the rest of our system, we will limit it to only wireless connections. In order to do that, we have to change environment parameters of wpa_supplicant service file, usually located /usr/lib/systemd/system/wpa_supplicant.service or /lib/systemd/system/wpa_supplicant so it contains the line:

Environment="OPENSSL_CONF=/etc/wpa_supplicant/openssl.cnf"

So the file’s service section looks like this:

[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
Environment="OPENSSL_CONF=/etc/wpa_supplicant/openssl.cnf"
ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant
ExecReload=/bin/kill -HUP $MAINPID

This will tell the wpa_supplicant service to use our openssl file instead of the system one. Now we have to actually configure the file. To do that, just copy the file from /etc/ssl like so:

# cp /etc/ssl/openssl.cnf /etc/wpa_supplicant/openssl.cnf

This will create our file. Now we have to modify it with the tool of choice. Find the following lines:

[openssl_init]
providers = provider_sect
Immediately thereafter, insert the following lines:
ssl_conf = ssl_sect

And add the following lines:

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=0

Now that we have configured openssl, now we have to configure the network file NetworkManager will use to connect to the eduroam network. The easiest way to generate the file is by using the eduroam CAT (Configuration Assistant Tool), available here.

After we generate the file, we have to modify the network connection file (extension .nmconnection), so the section 802-1x will contain this entry:

[802-1x]
phase1-auth-flags=32

Do keep in mind that the directory where connections are stored by default (/etc/NetworkManager/system-connections) is accessible only by root.

This tells the NetworkManager that TLSv1.0 is allowed and can be used to connect to the network. Hopefully it works now. Another thing to keep in mind, sometimes updating the system can remove the configuration, in that case just follow the steps again.

If you found this useful, please mention it to your college’s administration that we have to do SUCH STUPIDITY (lowering our overall security) in order to connect to their network. Frankly, the fact that some places still use TLS 1.0 is terrifying and some people do not realise how dumb this idea is…

I found how to do that from the internet, I’m grateful to every and single of the people involved in these posts:

These comments really helped me to write this guide properly. I hope we won’t have to do this security bypass in the future.