OpenSSL: Fix EAP-FAST with OpenSSL 1.1.1-pre1

TLS v1.3 needs to be explicitly disabled to allow cipher suite selection for EAP-FAST to work with OpenSSL builds that include TLS v1.3 support. Without this, OpenSSL refuses to generate ClientHello due to the cipher suite list including only ciphers allowed with older versions than TLS v1.3. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-14 12:40:33 +02:00 · 2018-02-14 12:40:33 +02:00 · b2e4074ca3
parent a8ec0b8ccc
commit b2e4074ca3
1 changed files with 9 additions and 0 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -4309,6 +4309,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		}
 	}
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	if (params->flags & TLS_CONN_EAP_FAST) {
+		/* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
+		 * refuses to start the handshake with the modified ciphersuite
+		 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
+		wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
+		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
+	}
+#endif
 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */

 	while ((err = ERR_get_error())) {