Add phase1/phase2 parameter for disabling TLS Session Ticket extension

tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index c91d863aefdfd18851b4231749b7bde2038d8997..3291048b098899f513a270c1e9ab86f19bf4a6f6 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -48,6 +48,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
                params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
        if (os_strstr(txt, "tls_disable_time_checks=1"))
                params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
+       if (os_strstr(txt, "tls_disable_session_ticket=1"))
+               params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
+       if (os_strstr(txt, "tls_disable_session_ticket=0"))
+               params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
 }