From d6a7668eb25d7b13499acdbdc582e1ad4d93c946 Mon Sep 17 00:00:00 2001
From: Akrm Al-Hakimi <alhakimiakrmj@gmail.com>
Date: Tue, 3 Mar 2026 20:33:19 -0500
Subject: [PATCH 1/2] fix(#270): let NM negotiate best protocol and cipher

---
 nmrs/src/api/builders/wifi_builder.rs | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/nmrs/src/api/builders/wifi_builder.rs b/nmrs/src/api/builders/wifi_builder.rs
index 244ad407..de881842 100644
--- a/nmrs/src/api/builders/wifi_builder.rs
+++ b/nmrs/src/api/builders/wifi_builder.rs
@@ -152,7 +152,9 @@ impl WifiConnectionBuilder {
 
     /// Configures WPA-PSK (Personal) security with the given passphrase.
     ///
-    /// Uses WPA2 (RSN) with CCMP encryption.
+    /// Lets NetworkManager negotiate the best protocol (WPA/WPA2/WPA3)
+    /// and cipher (TKIP/CCMP) with the access point, supporting mixed-mode
+    /// routers that advertise both WPA and WPA2.
     #[must_use]
     pub fn wpa_psk(mut self, psk: impl Into<String>) -> Self {
         let mut security = HashMap::new();
@@ -161,11 +163,6 @@ impl WifiConnectionBuilder {
         security.insert("psk-flags", Value::from(0u32));
         security.insert("auth-alg", Value::from("open"));
 
-        // Enforce WPA2 with AES
-        security.insert("proto", Self::string_array(&["rsn"]));
-        security.insert("pairwise", Self::string_array(&["ccmp"]));
-        security.insert("group", Self::string_array(&["ccmp"]));
-
         self.inner = self
             .inner
             .with_section("802-11-wireless-security", security);

From 133a18a227c36565e4e01acc03f0038d84155c6d Mon Sep 17 00:00:00 2001
From: Akrm Al-Hakimi <alhakimiakrmj@gmail.com>
Date: Tue, 3 Mar 2026 20:35:02 -0500
Subject: [PATCH 2/2] tests(#270): assert `proto/pairwise/group` are not
 present

---
 nmrs/src/api/builders/wifi_builder.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nmrs/src/api/builders/wifi_builder.rs b/nmrs/src/api/builders/wifi_builder.rs
index de881842..0acff2b1 100644
--- a/nmrs/src/api/builders/wifi_builder.rs
+++ b/nmrs/src/api/builders/wifi_builder.rs
@@ -417,6 +417,12 @@ mod tests {
             Some(&Value::from("password123".to_string()))
         );
 
+        // proto/pairwise/group must not be set so NetworkManager can
+        // negotiate with mixed-mode (WPA1+WPA2) access points.
+        assert!(security.get("proto").is_none());
+        assert!(security.get("pairwise").is_none());
+        assert!(security.get("group").is_none());
+
         let wireless = settings.get("802-11-wireless").unwrap();
         assert_eq!(
             wireless.get("security"),