EAP peer: Workaround for servers that do not support safe TLS renegotiation

The TLS protocol design for renegotiation was identified to have a
significant security flaw in 2009 and an extension to secure this design
was published in 2010 (RFC 5746). However, some old RADIUS
authentication servers without support for this are still used commonly.

This is obviously not good from the security view point, but since there
are cases where the user of a network service has no realistic means for
getting the authentication server upgraded, TLS handshake may still need
to be allowed to be able to use the network.

OpenSSL 3.0 disabled the client side workaround by default and this
resulted in issues connection to some networks with insecure
authentication servers. With OpenSSL 3.0, the client is now enforcing
security by refusing to authenticate with such servers. The pre-3.0
behavior of ignoring this issue and leaving security to the server can
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
This should be used only when having to connect to a network that has an
insecure authentication server that cannot be upgraded.

The old (pre-2010) TLS renegotiation mechanism might open security
vulnerabilities if the authentication server were to allow TLS
renegotiation to be initiated. While this is unlikely to cause real
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
an authentication server that does not support RFC 5746 might result in
a security vulnerability.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index ccaac94c92672703a9703df31ab252e6721ddaa1..7ea32ee4aec38215c89a959b94b23a1b1613aa26 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -112,6 +112,7 @@ struct tls_config {
 #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
 #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
 #define TLS_CONN_TEAP_ANON_DH BIT(17)
+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 388c6b0f4e4f4cc716f1322344585133fbe6cf62..0d23f44adbd39cb98ea9808bf52edc1a7eb51e5d 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
                SSL_clear_options(ssl, SSL_OP_NO_TICKET);
 #endif /* SSL_OP_NO_TICKET */
 
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+       if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
+               SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
+
 #ifdef SSL_OP_NO_TLSv1
        if (flags & TLS_CONN_DISABLE_TLSv1_0)
                SSL_set_options(ssl, SSL_OP_NO_TLSv1);

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 06c9b211e97690788edcc4ac8e3e558c180c83d0..6193b4bdbbb73e0a7c1e00de2d1b9202e282ffc3 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
                params->flags |= TLS_CONN_SUITEB_NO_ECDH;
        if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
                params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
+       if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
+               params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
+       if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
+               params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
 }
 
 

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index a1dc769c946e885f19acb66d248b7b8163485e12..b5304a77e01d7192205b8ce24c1ea468d5cb48ef 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1370,6 +1370,11 @@ fast_reauth=1
 # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
 # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
 #      particular when using Suite B with RSA keys of >= 3K (3072) bits
+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
+#      not support safe renegotiation (RFC 5746); please note that this
+#      workaround should be only when having to authenticate with an old
+#      authentication server that cannot be updated to use secure TLS
+#      implementation.
 #
 # Following certificate/private key fields are used in inner Phase2
 # authentication when using EAP-TTLS or EAP-PEAP.