TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 params

These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit is contained in:
Dmitry Shmidt 2014-02-19 13:21:58 -08:00 committed by Jouni Malinen
parent 41ff0fa64c
commit e9a6f18385
4 changed files with 27 additions and 0 deletions

View file

@ -85,6 +85,8 @@ struct tls_config {
#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2) #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
#define TLS_CONN_REQUEST_OCSP BIT(3) #define TLS_CONN_REQUEST_OCSP BIT(3)
#define TLS_CONN_REQUIRE_OCSP BIT(4) #define TLS_CONN_REQUIRE_OCSP BIT(4)
#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
/** /**
* struct tls_connection_params - Parameters for TLS connection * struct tls_connection_params - Parameters for TLS connection

View file

@ -3177,6 +3177,19 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
#endif /* SSL_clear_options */ #endif /* SSL_clear_options */
#endif /* SSL_OP_NO_TICKET */ #endif /* SSL_OP_NO_TICKET */
#ifdef SSL_OP_NO_TLSv1_1
if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
else
SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_1);
#endif /* SSL_OP_NO_TLSv1_1 */
#ifdef SSL_OP_NO_TLSv1_2
if (params->flags & TLS_CONN_DISABLE_TLSv1_2)
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_2);
else
SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_2);
#endif /* SSL_OP_NO_TLSv1_2 */
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
if (params->flags & TLS_CONN_REQUEST_OCSP) { if (params->flags & TLS_CONN_REQUEST_OCSP) {
SSL_CTX *ssl_ctx = tls_ctx; SSL_CTX *ssl_ctx = tls_ctx;

View file

@ -64,6 +64,14 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET; params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
if (os_strstr(txt, "tls_disable_session_ticket=0")) if (os_strstr(txt, "tls_disable_session_ticket=0"))
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET; params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
params->flags |= TLS_CONN_DISABLE_TLSv1_1;
if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
params->flags |= TLS_CONN_DISABLE_TLSv1_2;
if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
} }

View file

@ -800,6 +800,10 @@ fast_reauth=1
# EAP workarounds are disabled with eap_workarounds=0. # EAP workarounds are disabled with eap_workarounds=0.
# For EAP-FAST, this must be set to 0 (or left unconfigured for the # For EAP-FAST, this must be set to 0 (or left unconfigured for the
# default value to be used automatically). # default value to be used automatically).
# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
# that have issues interoperating with updated TLS version)
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
# that have issues interoperating with updated TLS version)
# #
# Following certificate/private key fields are used in inner Phase2 # Following certificate/private key fields are used in inner Phase2
# authentication when using EAP-TTLS or EAP-PEAP. # authentication when using EAP-TTLS or EAP-PEAP.