OpenSSL: Remove EAP-FAST TLSv1.0 only workaround for OpenSSL 1.1.0

The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.

This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-07-28 11:53:13 +03:00
parent 9dd21d5183
commit 06836013d3

View file

@ -3631,6 +3631,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
if (can_pkcs11 == 2 && !engine_id) if (can_pkcs11 == 2 && !engine_id)
engine_id = "pkcs11"; engine_id = "pkcs11";
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (params->flags & TLS_CONN_EAP_FAST) { if (params->flags & TLS_CONN_EAP_FAST) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"OpenSSL: Use TLSv1_method() for EAP-FAST"); "OpenSSL: Use TLSv1_method() for EAP-FAST");
@ -3640,6 +3641,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
} }
#endif
while ((err = ERR_get_error())) { while ((err = ERR_get_error())) {
wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s", wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",