[PATCH] TLS: Add tls_options field per network to set addition TLS options

Dmitry Shmidt dimitrysh
Wed Feb 19 13:24:26 PST 2014


On Wed, Feb 19, 2014 at 4:16 AM, Jouni Malinen <j at w1.fi> wrote:
> On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
>> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
>> +static long tls_connection_get_opt(const struct tls_connection_params *params)
>> +{
>> +     long options = 0;
>> +
>> +     if (params->tls_options == NULL)
>> +             return options;
>> +     if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
>> +             options |= SSL_OP_NO_TLSv1_1;
>> +     if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
>> +             options |= SSL_OP_NO_TLSv1_2;
>> +     return options;
>> +}
>
> There is already a mechanism for passing TLS parameters that are similar
> to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
> bitfield of TLS_CONN* flags (see src/crypto/tls.h).
> TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.
>
>
>> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
>> @@ -678,6 +678,13 @@ struct eap_peer_config {
>> +     /**
>> +      * tls_options - Additional options for TLS connection
>> +      *
>> +      * This filed allows to set additional TLS options per network.
>> +      */
>> +     char *tls_options;
>
> And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
> these flags are set based on the existing phase1 parameter (e.g.,
> phase1="tls_disable_session_ticket=1").

You mean something like this:
http://patchwork.ozlabs.org/patch/322016/

>
>
> (This patch was missing saving of this new parameter in config write
> options, but anyway, I'd rather handle this through the existing
> configuration parameter.)
>
> --
> Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list