[PATCH] TLS: Add tls_options field per network to set addition TLS options
Jouni Malinen
j
Wed Feb 19 04:16:33 PST 2014
On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> +static long tls_connection_get_opt(const struct tls_connection_params *params)
> +{
> + long options = 0;
> +
> + if (params->tls_options == NULL)
> + return options;
> + if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
> + options |= SSL_OP_NO_TLSv1_1;
> + if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
> + options |= SSL_OP_NO_TLSv1_2;
> + return options;
> +}
There is already a mechanism for passing TLS parameters that are similar
to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
bitfield of TLS_CONN* flags (see src/crypto/tls.h).
TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.
> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> @@ -678,6 +678,13 @@ struct eap_peer_config {
> + /**
> + * tls_options - Additional options for TLS connection
> + *
> + * This filed allows to set additional TLS options per network.
> + */
> + char *tls_options;
And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
these flags are set based on the existing phase1 parameter (e.g.,
phase1="tls_disable_session_ticket=1").
(This patch was missing saving of this new parameter in config write
options, but anyway, I'd rather handle this through the existing
configuration parameter.)
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list