EAP-TLS server: Disable TLS v1.3 by default

The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.

While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index c2d2d6244fa7b6d534e0506677ad9be2fa953b68..151b9fc5c901edc3e593d8a6253d760c25cd710a 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2140,6 +2140,11 @@ static unsigned int parse_tls_flags(const char *val)
 {
        unsigned int flags = 0;
 
+       /* Disable TLS v1.3 by default for now to avoid interoperability issue.
+        * This can be enabled by default once the implementation has been fully
+        * completed and tested with other implementations. */
+       flags |= TLS_CONN_DISABLE_TLSv1_3;
+
        if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
                flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
        if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
@@ -2152,6 +2157,8 @@ static unsigned int parse_tls_flags(const char *val)
                flags |= TLS_CONN_DISABLE_TLSv1_2;
        if (os_strstr(val, "[DISABLE-TLSv1.3]"))
                flags |= TLS_CONN_DISABLE_TLSv1_3;
+       if (os_strstr(val, "[ENABLE-TLSv1.3]"))
+               flags &= ~TLS_CONN_DISABLE_TLSv1_3;
        if (os_strstr(val, "[SUITEB]"))
                flags |= TLS_CONN_SUITEB;
        if (os_strstr(val, "[SUITEB-NO-ECDH]"))

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index d9f50b1f9d61b67fa2d0ecec302a0e125a0f4785..056a7903582602cfc6f0c27d69ca5ef086a8eb60 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -10,6 +10,7 @@
 
 #include "utils/common.h"
 #include "crypto/sha1.h"
+#include "crypto/tls.h"
 #include "radius/radius_client.h"
 #include "common/ieee802_11_defs.h"
 #include "common/eapol_common.h"
@@ -125,6 +126,11 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef CONFIG_MBO
        bss->mbo_cell_data_conn_pref = -1;
 #endif /* CONFIG_MBO */
+
+       /* Disable TLS v1.3 by default for now to avoid interoperability issue.
+        * This can be enabled by default once the implementation has been fully
+        * completed and tested with other implementations. */
+       bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
 }