hostapd: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled when hostapd is used as an EAP server with OpenSSL as the TLS library. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
b7328434f7
commit
f8995f8f1c
5 changed files with 15 additions and 0 deletions
|
|
@ -1984,6 +1984,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
} else if (os_strcmp(buf, "dh_file") == 0) {
|
} else if (os_strcmp(buf, "dh_file") == 0) {
|
||||||
os_free(bss->dh_file);
|
os_free(bss->dh_file);
|
||||||
bss->dh_file = os_strdup(pos);
|
bss->dh_file = os_strdup(pos);
|
||||||
|
} else if (os_strcmp(buf, "openssl_ciphers") == 0) {
|
||||||
|
os_free(bss->openssl_ciphers);
|
||||||
|
bss->openssl_ciphers = os_strdup(pos);
|
||||||
} else if (os_strcmp(buf, "fragment_size") == 0) {
|
} else if (os_strcmp(buf, "fragment_size") == 0) {
|
||||||
bss->fragment_size = atoi(pos);
|
bss->fragment_size = atoi(pos);
|
||||||
#ifdef EAP_SERVER_FAST
|
#ifdef EAP_SERVER_FAST
|
||||||
|
|
|
||||||
|
|
@ -763,6 +763,15 @@ eap_server=0
|
||||||
# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
|
# "openssl dhparam -out /etc/hostapd.dh.pem 1024"
|
||||||
#dh_file=/etc/hostapd.dh.pem
|
#dh_file=/etc/hostapd.dh.pem
|
||||||
|
|
||||||
|
# OpenSSL cipher string
|
||||||
|
#
|
||||||
|
# This is an OpenSSL specific configuration option for configuring the default
|
||||||
|
# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
|
||||||
|
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
|
||||||
|
# on cipher suite configuration. This is applicable only if hostapd is built to
|
||||||
|
# use OpenSSL.
|
||||||
|
#openssl_ciphers=DEFAULT:!EXP:!LOW
|
||||||
|
|
||||||
# Fragment size for EAP methods
|
# Fragment size for EAP methods
|
||||||
#fragment_size=1400
|
#fragment_size=1400
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -444,6 +444,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
|
||||||
os_free(conf->private_key_passwd);
|
os_free(conf->private_key_passwd);
|
||||||
os_free(conf->ocsp_stapling_response);
|
os_free(conf->ocsp_stapling_response);
|
||||||
os_free(conf->dh_file);
|
os_free(conf->dh_file);
|
||||||
|
os_free(conf->openssl_ciphers);
|
||||||
os_free(conf->pac_opaque_encr_key);
|
os_free(conf->pac_opaque_encr_key);
|
||||||
os_free(conf->eap_fast_a_id);
|
os_free(conf->eap_fast_a_id);
|
||||||
os_free(conf->eap_fast_a_id_info);
|
os_free(conf->eap_fast_a_id_info);
|
||||||
|
|
|
||||||
|
|
@ -302,6 +302,7 @@ struct hostapd_bss_config {
|
||||||
int check_crl;
|
int check_crl;
|
||||||
char *ocsp_stapling_response;
|
char *ocsp_stapling_response;
|
||||||
char *dh_file;
|
char *dh_file;
|
||||||
|
char *openssl_ciphers;
|
||||||
u8 *pac_opaque_encr_key;
|
u8 *pac_opaque_encr_key;
|
||||||
u8 *eap_fast_a_id;
|
u8 *eap_fast_a_id;
|
||||||
size_t eap_fast_a_id_len;
|
size_t eap_fast_a_id_len;
|
||||||
|
|
|
||||||
|
|
@ -158,6 +158,7 @@ int authsrv_init(struct hostapd_data *hapd)
|
||||||
params.private_key = hapd->conf->private_key;
|
params.private_key = hapd->conf->private_key;
|
||||||
params.private_key_passwd = hapd->conf->private_key_passwd;
|
params.private_key_passwd = hapd->conf->private_key_passwd;
|
||||||
params.dh_file = hapd->conf->dh_file;
|
params.dh_file = hapd->conf->dh_file;
|
||||||
|
params.openssl_ciphers = hapd->conf->openssl_ciphers;
|
||||||
params.ocsp_stapling_response =
|
params.ocsp_stapling_response =
|
||||||
hapd->conf->ocsp_stapling_response;
|
hapd->conf->ocsp_stapling_response;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue