path: root/hostapd
diff options
authorBeniamino Galvani <bgalvani@redhat.com>2017-07-09 09:06:50 (GMT)
committerJouni Malinen <j@w1.fi>2017-07-17 08:55:22 (GMT)
commit2b9891bd6e125d3e28f26afde32e153db658b7cc (patch)
tree11b63f7e7d7b3ec19828a56c753e94c538231728 /hostapd
parent65833d71a5f3b8240db397efa7200e894a3eab1f (diff)
OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Diffstat (limited to 'hostapd')
4 files changed, 14 insertions, 1 deletions
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index c8e986e..721fcbb 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -630,6 +630,10 @@ NEED_SHA256=y
LIBS += -lcrypto
LIBS_h += -lcrypto
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 91e1fda..fb926fb 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -668,6 +668,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl
LIBS_h += -ldl
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 521d877..26be9f8 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -278,6 +278,10 @@ CONFIG_IPV6=y
# can be enabled to enable use of stronger crypto algorithms.
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 51c47e6..7ad3206 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -931,7 +931,8 @@ eap_server=0
# OpenSSL cipher string
# This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if hostapd is built to
# use OpenSSL.