Ready for 2.2.7?

Alan DeKok aland at
Tue Mar 31 18:16:25 CEST 2015

On Mar 31, 2015, at 10:53 AM, Jouni Malinen <jkmalinen at> wrote:
> It should actually already be possible to enable this by adding
> phase1="tls_disable_session_ticket=0" into the network profile in
> wpa_supplicant/eapol_test.

  That's good to know.

> This workaround (of not sending session
> ticket) can also be disabled with eap_workaround=0, but it looks like
> that actually results in other issues with FreeRADIUS (mismatch in
> EAP-MSCHAPv2 header length when used within PEAP),

  Hmm... I don't see that here.  Do you have packet traces / debug logs?

  And the inner EAP data in PEAP is... stupid.  Very, very, stupid.  <sigh>

> I don't know which TLS implementation is involved in the problem cases
> or whether the EAP server implementation manages to break this on  its
> own. Anyway, none of the reported interop issues with TLS session
> ticket extension have been with FreeRADIUS.

  That's good to know.

  Alan DeKok.

More information about the Freeradius-Users mailing list