If you ever try and connect to a public Wi-Fi AP hosted by KT, perhaps at a Starbucks, with your Linux laptop, you may notice that the connection fails. For me, KDE prompted that the password was incorrect, when it wasn’t — my Android phone could connect to the AP just fine.
If you looked at the logs, you would see something like this:
Dec 26 16:39:14 kernel: wlp3s0: associate with 06:09:b4:78:b3:13 (try 1/3)
Dec 26 16:39:14 kernel: wlp3s0: associate with 06:09:b4:78:b3:13 (try 2/3)
Dec 26 16:39:14 kernel: wlp3s0: RX AssocResp from 06:09:b4:78:b3:13 (capab=0x431 status=0 aid=1)
Dec 26 16:39:14 kernel: wlp3s0: associated
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: Associated with 06:09:b4:78:b3:13
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Dec 26 16:39:14 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Dec 26 16:39:17 wpa_supplicant[1408]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Dec 26 16:39:17 wpa_supplicant[1408]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Dec 26 16:39:17 kernel: wlp3s0: disassociated from 06:09:b4:78:b3:13 (Reason: 23=IEEE8021X_FAILED)
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=06:09:b4:78:b3:13 reason=23
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="KT_starbucks_Secure" auth_failures=2 duration=31 reason=AUTH_FAILED
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: Added BSSID 06:09:b4:78:b3:13 into ignore list, ignoring for 10 seconds
Dec 26 16:39:17 wpa_supplicant[1408]: wlp3s0: BSSID 06:09:b4:78:b3:13 ignore list count incremented to 2, ignoring for 10 secondsThis is because KT’s Wi-Fi uses WPA2-Enterprise, and they’re still using a TLS version that is lower than TLS v1.2, which is disabled by default for security reasons in OpenSSL. This is even documented on the Arch wiki.
For some context, while TLS v1.0 and 1.1 were only deprecated in March 2021, TLS v1.2 has been available since 2008, and TLS v1.3 (the latest) since 2018. There is really no excuse for why KT is still using the outdated version.
Instead of overriding the settings and allowing an insecure version of TLS, my solution was to just use the open Wi-Fi with no authentication and then utilizing Tailscale’s excellent exit node feature to just secure my connection. Much less hassle and my connection is still secured from eavesdroppers.
This is the same company that claims they’re the forerunner in AI solutions on television ads. I wonder if you guys feel any shame, KT?