path: root/hostapd/config_file.c
diff options
authorJouni Malinen <j@w1.fi>2019-01-05 15:02:33 (GMT)
committerJouni Malinen <j@w1.fi>2019-01-05 15:14:26 (GMT)
commitcc9c4feccc5588137f66c40a4a6729476556853e (patch)
tree8056a0dcf308f006bf9592b750c61bcd6417d7ab /hostapd/config_file.c
parente3afbd796cbae8be6d1b6f5a8ea841bb5a62d753 (diff)
OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd/config_file.c')
1 files changed, 6 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 19ccb30..10a52fd 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2265,10 +2265,16 @@ static unsigned int parse_tls_flags(const char *val)
if (os_strstr(val, "[DISABLE-TLSv1.0]"))
flags |= TLS_CONN_DISABLE_TLSv1_0;
+ if (os_strstr(val, "[ENABLE-TLSv1.0]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_0;
if (os_strstr(val, "[DISABLE-TLSv1.1]"))
flags |= TLS_CONN_DISABLE_TLSv1_1;
+ if (os_strstr(val, "[ENABLE-TLSv1.1]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_1;
if (os_strstr(val, "[DISABLE-TLSv1.2]"))
flags |= TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(val, "[ENABLE-TLSv1.2]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_2;
if (os_strstr(val, "[DISABLE-TLSv1.3]"))
flags |= TLS_CONN_DISABLE_TLSv1_3;
if (os_strstr(val, "[ENABLE-TLSv1.3]"))