EAP-TLS peer: Disable TLS v1.3 by default
The current EAP peer implementation is not yet ready for the TLS v1.3 changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for this EAP method for now. While the current EAP-TLS implementation is more or less complete for TLS v1.3, there has been no interoperability testing with other implementations, so disable for by default for now until there has been chance to confirm that no significant interoperability issues show up with TLS version update. phase1="tls_disable_tlsv1_3=0" configuration parameter can be used to enable TLS v1.3 (assuming the TLS library supports it; e.g., when using OpenSSL 1.1.1). Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
bbbc7e8016
commit
e8a7af9a38
1 changed files with 17 additions and 0 deletions
|
|
@ -163,6 +163,23 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
|
|||
*/
|
||||
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
|
||||
}
|
||||
if (data->eap_type == EAP_TYPE_FAST ||
|
||||
data->eap_type == EAP_TYPE_TTLS ||
|
||||
data->eap_type == EAP_TYPE_PEAP) {
|
||||
/* The current EAP peer implementation is not yet ready for the
|
||||
* TLS v1.3 changes, so disable this by default for now. */
|
||||
params->flags |= TLS_CONN_DISABLE_TLSv1_3;
|
||||
}
|
||||
if (data->eap_type == EAP_TYPE_TLS) {
|
||||
/* While the current EAP-TLS implementation is more or less
|
||||
* complete for TLS v1.3, there has been no interoperability
|
||||
* testing with other implementations, so disable for by default
|
||||
* for now until there has been chance to confirm that no
|
||||
* significant interoperability issues show up with TLS version
|
||||
* update.
|
||||
*/
|
||||
params->flags |= TLS_CONN_DISABLE_TLSv1_3;
|
||||
}
|
||||
if (phase2) {
|
||||
wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
|
||||
eap_tls_params_from_conf2(params, config);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue