GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support
Thu Dec 15 01:00:05 PST 2005
Jouni Malinen <jkmaline at cc.hut.fi> writes:
> On Wed, Dec 14, 2005 at 02:37:02PM +0100, Simon Josefsson wrote:
>> We are pleased to present a customized version of GnuTLS 1.2.8 that
>> adds an implementation of the TLS Inner Application (TLS/IA) protocol.
>> The goal is to merge this TLS/IA branch with the main development
>> branch (1.3.x) and then to investigate how EAP-TTLSv1 can be
>> implemented. We invite suggestions and comments on these matters.
> This is interesting and welcome development to see in an open source TLS
> I've considered implementing EAP-TTLSv1, but haven't so far had
> enough interest to start working on it; partly because of it
> involving changes to the TLS library.
I understand. I think we'd like to have EAP-TTLSv1 implemented, and I
may start working on that.
> I've implemented EAP-TTLSv0 in wpa_supplicant (EAP peer) and hostapd
> (EAP authenticator/authentication server). Both of these programs use an
> internal TLS wrapper interface to allow different TLS libraries to be
> used. In case of wpa_supplicant, there is enough functionality to run
> EAP-TTLSv0 with both OpenSSL and GnuTLS.
I did look at the code, and found this modularization neat. I did
wonder whether the GnuTLS wrapper was complete enough for EAP-TTLSv0
to work, so you answered one of my questions here.
Is there anything the GnuTLS wrapper in wpa_supplicant does not
support? I.e., is there ever a need to use OpenSSL? If feasible,
we'd like for distributors of wpa_supplicant (like Debian) to use
wpa_supplicant with GnuTLS, so that EAP-TTLSv1 can work.
Another question: I also see there is a TLS wrapper for Schannel.
Does EAP-TTLSv0 in wpa_supplicant work under Windows? Does it use the
Windows SSPI credential store and CA certificates? In general, how
complete is the Windows support in wpa_supplicant?
> One of the things I'm currently going through in the new development
> branch is cleanup on various internal interfaces and one of these would
> indeed be the TLS wrapper interface. This would be a good point to also
> take a look at what kind of functionality would be needed to add support
> for using TLS/IA and start extending EAP-TTLS code to support version 1.
Ok. I may be able to help with some of that.
More information about the Hostap