wpa_supplicant: using internal TLSv1

Jouni Malinen j
Mon Aug 11 22:09:34 PDT 2008


On Tue, Aug 12, 2008 at 11:42:07AM +0800, Soh Kam Yung wrote:

> 1) If CONFIG_EAP_TLS, CONFIG_EAP_PEAP and CONFIG_EAP_TTLS=n, I do not
> need any TLS implementation (either internal or OpenSSL).  Is this
> correct?

Not necessarily; this depends on what other features you have enabled.
For example, EAP-FAST would also require full TLS support and some other
EAP methods may require crypto algorithms that are not strictly speaking
part of TLSv1, but may be included with the internal/OpenSSL TLS
selection. The easiest way to test this is to make a build with the
configuration you want and see what happens..

(By the way, setting build configuration variables in .config to any
value, including 'n', is going to enable them; the only way to disable
these is to either remove or comment them out in .config.)

> 2) Is the Internal TLSv1 implementation stable?  The sample defconfig
> file in wpa_supplicant-0.5.8 still marks the Internal TLSv1 as
> experimental.

I'm considering the 0.5.x branch version to be experimental and 0.6.x
version to become stable with the first 0.6.x "stable release". In other
words, implementation in 0.5.x is not complete and it may miss some
certificate validations steps and it may not be able to parse some
certificates while the implementation in 0.6.x is more complete. At this
point, I do not have plans on merging in the latest version from 0.6.x
into 0.5.x.

> 3) Is libtommath.c 'good enough' or is it advisable for me to use the
> full LibTomMath library for the internal TLSv1?

The main difference is in how fast the operations are. The situation has
improved quite a bit in the current 0.6.x branch with the build time
options to enable more optimized (but a bit larger) implementation from
LibTomMath. This is still not the fast possible bignum implementation,
but assuming you are not running on lowest end CPU options, the
libtommath.c version in 0.6.x is likely fast enough.

> 4) Are the interoperability testing results
> (http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/eap_testing.txt
> ) valid for the internal TLSv1 implementation?

No. Many of these have only been tested with OpenSSL. I have verified
internal TLSv1 implementation against number of the servers, but not
all.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list