On Tue, Mar 31, 2015 at 1:33 PM, Nick Lowe <nick.lowe@gmail.com> wrote:
Isn't it about time to, by default, include TLS extensions in the Client Hello and have an option to switch it off for any broken servers?
Are you talking of any specific TLS extension here? It does not look reasonable yet to enable session tickets by default. There is not much real benefit from them to EAP-TLS/PEAP/TTLS (and EAP-FAST uses session tickets in its own peculiar ways) and since there continue to be reports of failures to connect to various WPA2-Enterprise networks, the default behavior is unlikely to change any time soon. If there are real use cases that would benefit from session tickets, a configurable option to do so could be added. Other TLS extensions are used based on what the TLS library does and OCSP (status request extension) can be enabled through configuration.
Incidentally, just looking at the code in wpa_supplicant, only when OpenSSL is used is TLS 1.2 used/supported. It's hard coded for TLS 1.0 with all the other SSL/TLS implementations.
I'm not sure what this is based on, but it is not correct. Both the GnuTLS and internal TLS implementation can use TLS v1.1 and v1.2 (though, the internal TLS implementation is quite limited in 1.2 support). - Jouni