git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jouni Malinen <j@w1.fi>
	Tue, 9 Dec 2014 13:57:03 +0000 (15:57 +0200)
committer	Jouni Malinen <j@w1.fi>
	Tue, 9 Dec 2014 14:57:05 +0000 (16:57 +0200)
commit	d4913c585ec9b62a667473878a7fd7d8600d3388
tree	282192911ac674832733a813ec0602854c910384	tree \| snapshot
parent	471debb0b3428be24a05ab553b6eea2263d93f4f	commit \| diff

OpenSSL: Fix EAP-FAST peer regression

Commit 35efa2479ff19c3f13e69dc50d2708ce79a99beb ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/crypto/tls.h		diff \| blob \| blame \| history
src/crypto/tls_openssl.c		diff \| blob \| blame \| history
src/eap_peer/eap_tls_common.c		diff \| blob \| blame \| history