wpa_supplicant/NM fallback to WPA?
Tue May 6 14:16:25 PDT 2008
> Yeah.. The problem here is that this AP is broken in a way that could
> lead to compromised security since supplicant will not be able to verify
> that the advertised RSN IE matches with the signed one.. In theory, one
> could try to use WPA in this type of case, but I don't really like the
> extra complexity that this would bring into AP selection.
Yeah, true. I guess we'll just have to make NM do the fallback ;)
> This AP seems to advertise
> both TKIP and CCMP as allowed pairwise ciphers, but only includes the
> negotiated pairwise cipher suite in msg 3/4. By doing so, it breaks the
> protection against downgrade attacks..
> WPA: IE in 3/4 msg does not match with IE in Beacon/ProbeResp
> WPA: RSN IE in Beacon/ProbeResp - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 02 00 0f ac 04 01 00 00 0f ac 02 01 00
> WPA: RSN IE in 3/4 msg - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 02 01 00
I can't parse that manually quickly so I'll trust you on it :)
> Quick Google search for this AP seemed to bring lots of pages with
> things like "funktioniert nicht" and "keine Verbindung", so maybe you
> are not the only one seeing this problem.. The connection would likely
> fail with any WPA2-enabled (and correctly implemented ;-) client..
Heh. Looks like.
> My guess would be that this could work fine if the AP were configured to
> use "Nur WPA2" in the Sicherheit | Verschl?sselungsmethode.. I would
> assume WPA/WPA2 is the default, though, and that results in this problem
> with RSN.
I haven't got a clue, it's not my AP and I can't reconfigure it (well I
can probably guess the password but would rather not muck with it)
> Would you happen to have any idea how common those APs are? If I
> understood correctly, this is a telco/ISP-branded AP from a large ADSL
> provider, so there may very well be quite a few of those APs around..
Yeah, Arcor is a large German telco/ADSL provider and I guess they
ship(ped) this or similar APs to each of their customers that buys ADSL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 828 bytes
Desc: This is a digitally signed message part
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20080506/03127724/attachment.pgp
More information about the Hostap