Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 params

These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dmitry Shmidt 11 years ago
parent
41ff0fa64c
commit
e9a6f18385
4 changed files with 27 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      src/crypto/tls.h
  2. 13 0
      src/crypto/tls_openssl.c
  3. 8 0
      src/eap_peer/eap_tls_common.c
  4. 4 0
      wpa_supplicant/wpa_supplicant.conf

+ 2 - 0
src/crypto/tls.h
View File 

@@ -85,6 +85,8 @@ struct tls_config {
 
 #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
 
 #define TLS_CONN_REQUEST_OCSP BIT(3)
 
 #define TLS_CONN_REQUIRE_OCSP BIT(4)
 
+#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
 
+#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
 
 
 /**
 
  * struct tls_connection_params - Parameters for TLS connection

+ 13 - 0
src/crypto/tls_openssl.c
View File 

@@ -3177,6 +3177,19 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
 #endif /* SSL_clear_options */
 
 #endif /*  SSL_OP_NO_TICKET */
 
 
+#ifdef SSL_OP_NO_TLSv1_1
 
+	if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
 
+		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
 
+	else
 
+		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_1);
 
+#endif /* SSL_OP_NO_TLSv1_1 */
 
+#ifdef SSL_OP_NO_TLSv1_2
 
+	if (params->flags & TLS_CONN_DISABLE_TLSv1_2)
 
+		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_2);
 
+	else
 
+		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_2);
 
+#endif /* SSL_OP_NO_TLSv1_2 */
 
+
 
 #ifdef HAVE_OCSP
 
 	if (params->flags & TLS_CONN_REQUEST_OCSP) {
 
 		SSL_CTX *ssl_ctx = tls_ctx;

+ 8 - 0
src/eap_peer/eap_tls_common.c
View File 

@@ -64,6 +64,14 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
 
 		params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
 
 	if (os_strstr(txt, "tls_disable_session_ticket=0"))
 
 		params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
 
+	if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
 
+		params->flags |= TLS_CONN_DISABLE_TLSv1_1;
 
+	if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
 
+		params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
 
+	if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
 
+		params->flags |= TLS_CONN_DISABLE_TLSv1_2;
 
+	if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
 
+		params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
 
 }

+ 4 - 0
wpa_supplicant/wpa_supplicant.conf
View File 

@@ -800,6 +800,10 @@ fast_reauth=1
 
 #	EAP workarounds are disabled with eap_workarounds=0.
 
 #	For EAP-FAST, this must be set to 0 (or left unconfigured for the
 
 #	default value to be used automatically).
 
+# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
 
+#	that have issues interoperating with updated TLS version)
 
+# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
 
+#	that have issues interoperating with updated TLS version)
 
 #
 
 # Following certificate/private key fields are used in inner Phase2
 
 # authentication when using EAP-TTLS or EAP-PEAP.