aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd/config_file.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2018-05-01 19:12:37 (GMT)
committerJouni Malinen <j@w1.fi>2018-05-01 19:13:38 (GMT)
commitd501c27cfeb4749b99b9af7861be15c338a0ef2a (patch)
treebc011001bf190d3fb1d79a515d787eda8cfec905 /hostapd/config_file.c
parente8a7af9a38f71408977e03967df02615e266fc12 (diff)
downloadhostap-d501c27cfeb4749b99b9af7861be15c338a0ef2a.zip
hostap-d501c27cfeb4749b99b9af7861be15c338a0ef2a.tar.gz
hostap-d501c27cfeb4749b99b9af7861be15c338a0ef2a.tar.bz2
EAP-TLS server: Disable TLS v1.3 by default
The current EAP peer implementation is not yet ready for the TLS v1.3 changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for this EAP method for now. While the current EAP-TLS implementation is more or less complete for TLS v1.3, there has been no interoperability testing with other implementations, so disable for by default for now until there has been chance to confirm that no significant interoperability issues show up with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration parameter can be used to enable TLS v1.3 (assuming the TLS library supports it; e.g., when using OpenSSL 1.1.1). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd/config_file.c')
-rw-r--r--hostapd/config_file.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index c2d2d62..151b9fc 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2140,6 +2140,11 @@ static unsigned int parse_tls_flags(const char *val)
{
unsigned int flags = 0;
+ /* Disable TLS v1.3 by default for now to avoid interoperability issue.
+ * This can be enabled by default once the implementation has been fully
+ * completed and tested with other implementations. */
+ flags |= TLS_CONN_DISABLE_TLSv1_3;
+
if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
@@ -2152,6 +2157,8 @@ static unsigned int parse_tls_flags(const char *val)
flags |= TLS_CONN_DISABLE_TLSv1_2;
if (os_strstr(val, "[DISABLE-TLSv1.3]"))
flags |= TLS_CONN_DISABLE_TLSv1_3;
+ if (os_strstr(val, "[ENABLE-TLSv1.3]"))
+ flags &= ~TLS_CONN_DISABLE_TLSv1_3;
if (os_strstr(val, "[SUITEB]"))
flags |= TLS_CONN_SUITEB;
if (os_strstr(val, "[SUITEB-NO-ECDH]"))