[PATCH] TLS: Add tls_options field per network to set addition TLS options
Dmitry Shmidt
dimitrysh
Wed Feb 19 13:24:26 PST 2014
On Wed, Feb 19, 2014 at 4:16 AM, Jouni Malinen <j at w1.fi> wrote:
> On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
>> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
>> +static long tls_connection_get_opt(const struct tls_connection_params *params)
>> +{
>> + long options = 0;
>> +
>> + if (params->tls_options == NULL)
>> + return options;
>> + if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
>> + options |= SSL_OP_NO_TLSv1_1;
>> + if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
>> + options |= SSL_OP_NO_TLSv1_2;
>> + return options;
>> +}
>
> There is already a mechanism for passing TLS parameters that are similar
> to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
> bitfield of TLS_CONN* flags (see src/crypto/tls.h).
> TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.
>
>
>> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
>> @@ -678,6 +678,13 @@ struct eap_peer_config {
>> + /**
>> + * tls_options - Additional options for TLS connection
>> + *
>> + * This filed allows to set additional TLS options per network.
>> + */
>> + char *tls_options;
>
> And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
> these flags are set based on the existing phase1 parameter (e.g.,
> phase1="tls_disable_session_ticket=1").
You mean something like this:
http://patchwork.ozlabs.org/patch/322016/
>
>
> (This patch was missing saving of this new parameter in config write
> options, but anyway, I'd rather handle this through the existing
> configuration parameter.)
>
> --
> Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list