diff --git a/ChangeLog b/ChangeLog
index 1ba5cc4bd..7907d7291 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-09-18  Dan Williams  <dcbw@redhat.com>
+
+	* libnm-util/nm-setting-wireless.c
+		- (nm_setting_wireless_ap_security_compatible): only verify pairwise and
+			group ciphers if the wireless-security setting explicitly specified
+			them, effectively making the default be "all ciphers"  (idea from
+			Alexander Sack)
+
 2008-09-15  Dan Williams  <dcbw@redhat.com>
 
 	Patch from Alexander Sack <asac@ubuntu.com>
diff --git a/libnm-util/nm-setting-wireless.c b/libnm-util/nm-setting-wireless.c
index 6d06a0ee3..7eeafd356 100644
--- a/libnm-util/nm-setting-wireless.c
+++ b/libnm-util/nm-setting-wireless.c
@@ -174,25 +174,33 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless,
 			    || !(ap_wpa & (NM_802_11_AP_SEC_GROUP_WEP40 | NM_802_11_AP_SEC_GROUP_WEP104)))
 				return FALSE;
 
-			/* Match at least one pairwise cipher with AP's capability */
-			for (iter = s_wireless_sec->pairwise; iter; iter = g_slist_next (iter)) {
-				if ((found = match_cipher (iter->data, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP40)))
-					break;
-				if ((found = match_cipher (iter->data, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP104)))
-					break;
+			/* Match at least one pairwise cipher with AP's capability if the
+			 * wireless-security setting explicitly lists pairwise ciphers
+			 */
+			if (s_wireless_sec->pairwise) {
+				for (iter = s_wireless_sec->pairwise; iter; iter = g_slist_next (iter)) {
+					if ((found = match_cipher (iter->data, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP40)))
+						break;
+					if ((found = match_cipher (iter->data, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_PAIR_WEP104)))
+						break;
+				}
+				if (!found)
+					return FALSE;
 			}
-			if (!found)
-				return FALSE;
 
-			/* Match at least one group cipher with AP's capability */
-			for (iter = s_wireless_sec->group; iter; iter = g_slist_next (iter)) {
-				if ((found = match_cipher (iter->data, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP40)))
-					break;
-				if ((found = match_cipher (iter->data, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP104)))
-					break;
+			/* Match at least one group cipher with AP's capability if the
+			 * wireless-security setting explicitly lists group ciphers
+			 */
+			if (s_wireless_sec->group) {
+				for (iter = s_wireless_sec->group; iter; iter = g_slist_next (iter)) {
+					if ((found = match_cipher (iter->data, "wep40", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP40)))
+						break;
+					if ((found = match_cipher (iter->data, "wep104", ap_wpa, ap_wpa, NM_802_11_AP_SEC_GROUP_WEP104)))
+						break;
+				}
+				if (!found)
+					return FALSE;
 			}
-			if (!found)
-				return FALSE;
 		}
 		return TRUE;
 	}
@@ -206,9 +214,6 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless,
 		if (!(ap_flags & NM_802_11_AP_FLAGS_PRIVACY))
 			return FALSE;
 
-		if (!s_wireless_sec->pairwise || !s_wireless_sec->group)
-			return FALSE;
-
 		if (!strcmp (s_wireless_sec->key_mgmt, "wpa-psk")) {
 			if (   !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_PSK)
 			    && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_PSK))
@@ -223,29 +228,37 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless,
 		// if the Connection only uses WPA we don't match a cipher against
 		// the AP's RSN IE instead
 
-		/* Match at least one pairwise cipher with AP's capability */
-		for (elt = s_wireless_sec->pairwise; elt; elt = g_slist_next (elt)) {
-			if ((found = match_cipher (elt->data, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_TKIP)))
-				break;
-			if ((found = match_cipher (elt->data, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_CCMP)))
-				break;
+		/* Match at least one pairwise cipher with AP's capability if the
+		 * wireless-security setting explicitly lists pairwise ciphers
+		 */
+		if (s_wireless_sec->pairwise) {
+			for (elt = s_wireless_sec->pairwise; elt; elt = g_slist_next (elt)) {
+				if ((found = match_cipher (elt->data, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_TKIP)))
+					break;
+				if ((found = match_cipher (elt->data, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_PAIR_CCMP)))
+					break;
+			}
+			if (!found)
+				return FALSE;
 		}
-		if (!found)
-			return FALSE;
 
-		/* Match at least one group cipher with AP's capability */
-		for (elt = s_wireless_sec->group; elt; elt = g_slist_next (elt)) {
-			if ((found = match_cipher (elt->data, "wep40", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP40)))
-				break;
-			if ((found = match_cipher (elt->data, "wep104", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP104)))
-				break;
-			if ((found = match_cipher (elt->data, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_TKIP)))
-				break;
-			if ((found = match_cipher (elt->data, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_CCMP)))
-				break;
+		/* Match at least one group cipher with AP's capability if the
+		 * wireless-security setting explicitly lists group ciphers
+		 */
+		if (s_wireless_sec->group) {
+			for (elt = s_wireless_sec->group; elt; elt = g_slist_next (elt)) {
+				if ((found = match_cipher (elt->data, "wep40", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP40)))
+					break;
+				if ((found = match_cipher (elt->data, "wep104", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_WEP104)))
+					break;
+				if ((found = match_cipher (elt->data, "tkip", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_TKIP)))
+					break;
+				if ((found = match_cipher (elt->data, "ccmp", ap_wpa, ap_rsn, NM_802_11_AP_SEC_GROUP_CCMP)))
+					break;
+			}
+			if (!found)
+				return FALSE;
 		}
-		if (!found)
-			return FALSE;
 
 		return TRUE;
 	}