Ready for 2.2.7?

Jouni Malinen jkmalinen at gmail.com
Tue Mar 31 13:15:06 CEST 2015


On Tue, Mar 31, 2015 at 1:33 PM, Nick Lowe <nick.lowe at gmail.com> wrote:
> Isn't it about time to, by default, include TLS extensions in the Client
> Hello and have an option to switch it off for any broken servers?

Are you talking of any specific TLS extension here? It does not look
reasonable yet to enable session tickets by default. There is not much
real benefit from them to EAP-TLS/PEAP/TTLS (and EAP-FAST uses session
tickets in its own peculiar ways) and since there continue to be
reports of failures to connect to various WPA2-Enterprise networks,
the default behavior is unlikely to change any time soon. If there are
real use cases that would benefit from session tickets, a configurable
option to do so could be added.

Other TLS extensions are used based on what the TLS library does and
OCSP (status request extension) can be enabled through configuration.

> Incidentally, just looking at the code in wpa_supplicant, only when OpenSSL
> is used is TLS 1.2 used/supported. It's hard coded for TLS 1.0 with all the
> other SSL/TLS implementations.

I'm not sure what this is based on, but it is not correct. Both the
GnuTLS and internal TLS implementation can use TLS v1.1 and v1.2
(though, the internal TLS implementation is quite limited in 1.2
support).

- Jouni


More information about the Freeradius-Users mailing list