EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled
This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
0d34c13a72
commit
bbbc7e8016
5 changed files with 15 additions and 0 deletions
|
|
@ -2150,6 +2150,8 @@ static unsigned int parse_tls_flags(const char *val)
|
|||
flags |= TLS_CONN_DISABLE_TLSv1_1;
|
||||
if (os_strstr(val, "[DISABLE-TLSv1.2]"))
|
||||
flags |= TLS_CONN_DISABLE_TLSv1_2;
|
||||
if (os_strstr(val, "[DISABLE-TLSv1.3]"))
|
||||
flags |= TLS_CONN_DISABLE_TLSv1_3;
|
||||
if (os_strstr(val, "[SUITEB]"))
|
||||
flags |= TLS_CONN_SUITEB;
|
||||
if (os_strstr(val, "[SUITEB-NO-ECDH]"))
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ struct tls_config {
|
|||
#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
|
||||
#define TLS_CONN_SUITEB BIT(11)
|
||||
#define TLS_CONN_SUITEB_NO_ECDH BIT(12)
|
||||
#define TLS_CONN_DISABLE_TLSv1_3 BIT(13)
|
||||
|
||||
/**
|
||||
* struct tls_connection_params - Parameters for TLS connection
|
||||
|
|
|
|||
|
|
@ -2470,6 +2470,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|||
else
|
||||
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
|
||||
#endif /* SSL_OP_NO_TLSv1_2 */
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
if (flags & TLS_CONN_DISABLE_TLSv1_3)
|
||||
SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
|
||||
else
|
||||
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
|
||||
#endif /* SSL_OP_NO_TLSv1_3 */
|
||||
#ifdef CONFIG_SUITEB
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
/* Start with defaults from BoringSSL */
|
||||
|
|
|
|||
|
|
@ -80,6 +80,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
|
|||
params->flags |= TLS_CONN_DISABLE_TLSv1_2;
|
||||
if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
|
||||
params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
|
||||
if (os_strstr(txt, "tls_disable_tlsv1_3=1"))
|
||||
params->flags |= TLS_CONN_DISABLE_TLSv1_3;
|
||||
if (os_strstr(txt, "tls_disable_tlsv1_3=0"))
|
||||
params->flags &= ~TLS_CONN_DISABLE_TLSv1_3;
|
||||
if (os_strstr(txt, "tls_ext_cert_check=1"))
|
||||
params->flags |= TLS_CONN_EXT_CERT_CHECK;
|
||||
if (os_strstr(txt, "tls_ext_cert_check=0"))
|
||||
|
|
|
|||
|
|
@ -1210,6 +1210,8 @@ fast_reauth=1
|
|||
# that have issues interoperating with updated TLS version)
|
||||
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
|
||||
# that have issues interoperating with updated TLS version)
|
||||
# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers
|
||||
# that have issues interoperating with updated TLS version)
|
||||
# tls_ext_cert_check=0 - No external server certificate validation (default)
|
||||
# tls_ext_cert_check=1 - External server certificate validation enabled; this
|
||||
# requires an external program doing validation of server certificate
|
||||
|
|
|
|||
Loading…
Reference in a new issue