[PATCH] TLS: Add tls_options field per network to set addition TLS options

Jouni Malinen j
Wed Feb 19 04:16:33 PST 2014


On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> +static long tls_connection_get_opt(const struct tls_connection_params *params)
> +{
> +	long options = 0;
> +
> +	if (params->tls_options == NULL)
> +		return options;
> +	if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
> +		options |= SSL_OP_NO_TLSv1_1;
> +	if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
> +		options |= SSL_OP_NO_TLSv1_2;
> +	return options;
> +}

There is already a mechanism for passing TLS parameters that are similar
to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
bitfield of TLS_CONN* flags (see src/crypto/tls.h).
TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.


> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> @@ -678,6 +678,13 @@ struct eap_peer_config {
> +	/**
> +	 * tls_options - Additional options for TLS connection
> +	 *
> +	 * This filed allows to set additional TLS options per network.
> +	 */
> +	char *tls_options;

And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
these flags are set based on the existing phase1 parameter (e.g.,
phase1="tls_disable_session_ticket=1").


(This patch was missing saving of this new parameter in config write
options, but anyway, I'd rather handle this through the existing
configuration parameter.)

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list