Ready for 2.2.7?

Arran Cudbard-Bell a.cudbardb at
Tue Mar 31 16:04:36 CEST 2015

> On 31 Mar 2015, at 06:19, Jouni Malinen <jkmalinen at> wrote:
> On Tue, Mar 31, 2015 at 3:17 AM, Arran Cudbard-Bell
> <a.cudbardb at> wrote:
>>> On 30 Mar 2015, at 20:09, Matthew Newton <mcn4 at> wrote:
>>> Compatibility with what?
>> eapol_test, booo.
> Compatibility with any correct TLSv1.2 -based implementation..


>> Noticed today that with TLS 1.2 FR and eapol_test 2.4 (and so presumably wpa_supplicant)
>> disagreed on the MPPE keys. Not sure where the fault lies there. Both were running on the
>> same machine, linked against the same version of OpenSSL.
> FreeRADIUS has incorrect key derivation for TLSv1.2.
> eaptls_gen_mppe_keys() has not taken into account that the PRF
> algorithm changes in the new TLS version. That PRF() call there would
> need to be modified to take into acocunt that difference between TLS
> versions. Or likely much more easily, you could move to using
> SSL_export_keying_material() whenever building with OpenSSL 1.0.1 or
> newer. That has some complexities for EAP-FAST (not supported by that
> OpenSSL function because someone thought that it would be create to
> design EAP-FAST in a way that is different from others..). Anyway,
> EAP-FAST is not supported yet by FreeRADIUS and has interop issues
> with TLS v1.2 anyway, so it is unclear when it is going to need new
> key derivation..
> wpa_supplicant, and as such, eapol_test, too, uses
> SSL_export_keying_material() in this case to get the correct keys out
> from OpenSSL.

Ok, i'll take a look at fixing that. Thanks!


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list