Wireless access point daemon, patched with ubus support
566ce69a8d
The TLS protocol design for renegotiation was identified to have a significant security flaw in 2009 and an extension to secure this design was published in 2010 (RFC 5746). However, some old RADIUS authentication servers without support for this are still used commonly. This is obviously not good from the security view point, but since there are cases where the user of a network service has no realistic means for getting the authentication server upgraded, TLS handshake may still need to be allowed to be able to use the network. OpenSSL 3.0 disabled the client side workaround by default and this resulted in issues connection to some networks with insecure authentication servers. With OpenSSL 3.0, the client is now enforcing security by refusing to authenticate with such servers. The pre-3.0 behavior of ignoring this issue and leaving security to the server can now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1. This should be used only when having to connect to a network that has an insecure authentication server that cannot be upgraded. The old (pre-2010) TLS renegotiation mechanism might open security vulnerabilities if the authentication server were to allow TLS renegotiation to be initiated. While this is unlikely to cause real issues with EAP-TLS, there might be cases where use of PEAP or TTLS with an authentication server that does not support RFC 5746 might result in a security vulnerability. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> |
||
|---|---|---|
| doc | ||
| eap_example | ||
| hostapd | ||
| hs20 | ||
| radius_example | ||
| src | ||
| tests | ||
| wlantest | ||
| wpa_supplicant | ||
| wpadebug | ||
| wpaspy | ||
| .gitignore | ||
| Android.mk | ||
| build_release | ||
| CONTRIBUTIONS | ||
| COPYING | ||
| README | ||
wpa_supplicant and hostapd -------------------------- Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. These programs are licensed under the BSD license (the one with advertisement clause removed). If you are submitting changes to the project, please see CONTRIBUTIONS file for more instructions. This package may include either wpa_supplicant, hostapd, or both. See README file respective subdirectories (wpa_supplicant/README or hostapd/README) for more details. Source code files were moved around in v0.6.x releases and compared to earlier releases, the programs are now built by first going to a subdirectory (wpa_supplicant or hostapd) and creating build configuration (.config) and running 'make' there (for Linux/BSD/cygwin builds). License ------- This software may be distributed, used, and modified under the terms of BSD license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name(s) of the above-listed copyright holder(s) nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.