EAP-TLS peer: Disable TLS v1.3 by default

author Jouni Malinen <j@w1.fi>

Tue, 1 May 2018 18:58:35 +0000 (21:58 +0300)

committer Jouni Malinen <j@w1.fi>

Tue, 1 May 2018 19:13:38 +0000 (22:13 +0300)
author Jouni Malinen <j@w1.fi>
Tue, 1 May 2018 18:58:35 +0000 (21:58 +0300)
committer Jouni Malinen <j@w1.fi>
Tue, 1 May 2018 19:13:38 +0000 (22:13 +0300)
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c

index e0d8d43c82584733d320a5e1d3ff3527fb58f6e6..8572005d70ae2d3c0a646be65a6b0de9822e77e4 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -163,6 +163,23 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
                  */
                 params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
         }
+       if (data->eap_type == EAP_TYPE_FAST ||
+           data->eap_type == EAP_TYPE_TTLS ||
+           data->eap_type == EAP_TYPE_PEAP) {
+               /* The current EAP peer implementation is not yet ready for the
+                * TLS v1.3 changes, so disable this by default for now. */
+               params->flags |= TLS_CONN_DISABLE_TLSv1_3;
+       }
+       if (data->eap_type == EAP_TYPE_TLS) {
+               /* While the current EAP-TLS implementation is more or less
+                * complete for TLS v1.3, there has been no interoperability
+                * testing with other implementations, so disable for by default
+                * for now until there has been chance to confirm that no
+                * significant interoperability issues show up with TLS version
+                * update.
+                */
+               params->flags |= TLS_CONN_DISABLE_TLSv1_3;
+       }
         if (phase2) {
                 wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
                 eap_tls_params_from_conf2(params, config);
author	Jouni Malinen <j@w1.fi>
	Tue, 1 May 2018 18:58:35 +0000 (21:58 +0300)
committer	Jouni Malinen <j@w1.fi>
	Tue, 1 May 2018 19:13:38 +0000 (22:13 +0300)