aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls/tlsv1_client.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2009-03-08 10:04:39 (GMT)
committerJouni Malinen <j@w1.fi>2009-03-08 10:04:39 (GMT)
commit9e783041fa3cc13bf940d275e9d26c0dce032df6 (patch)
treef3c9bf3afec67a017004de45d3670dcfee2269db /src/tls/tlsv1_client.c
parent58d1f6d189bea3ccb7af8a19c1bbc191cfbabfbd (diff)
downloadhostap-9e783041fa3cc13bf940d275e9d26c0dce032df6.zip
hostap-9e783041fa3cc13bf940d275e9d26c0dce032df6.tar.gz
hostap-9e783041fa3cc13bf940d275e9d26c0dce032df6.tar.bz2
Add a workaround for EAP-FAST with Cisco AP local RADIUS server
When using the internal TLS implementation, EAP-FAST unauthenticated provisioning ends up proposing multiple cipher suites. It looks like Cisco AP (at least 350 and 1200 series) local authentication server does not know how to search cipher suites from the list and seem to require that the last entry in the list is the one that it wants to use. However, TLS specification requires the list to be in the client preference order. As a workaround, ass anon-DH AES-128-SHA1 again at the end of the list to allow the Cisco code to find it. This fixed EAP-FAST provisioning with the following IOS version: Cisco IOS Software, C350 Software (C350-K9W7-M), Version 12.3(8)JEA3, RELEASE SOFTWARE (fc2) Compiled Wed 21-Nov-07 14:08 by ccai
Diffstat (limited to 'src/tls/tlsv1_client.c')
-rw-r--r--src/tls/tlsv1_client.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c
index 302e3ee..9715b5f 100644
--- a/src/tls/tlsv1_client.c
+++ b/src/tls/tlsv1_client.c
@@ -620,6 +620,17 @@ int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers)
suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
+
+ /*
+ * Cisco AP (at least 350 and 1200 series) local authentication
+ * server does not know how to search cipher suites from the
+ * list and seem to require that the last entry in the list is
+ * the one that it wants to use. However, TLS specification
+ * requires the list to be in the client preference order. As a
+ * workaround, ass anon-DH AES-128-SHA1 again at the end of the
+ * list to allow the Cisco code to find it.
+ */
+ suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
conn->num_cipher_suites = count;
}