wpa-supplicant EAP-TLS Key derivation TLS 1.2
Jouni Malinen
j
Fri Aug 28 09:08:54 PDT 2015
On Fri, Aug 28, 2015 at 03:28:52PM +0100, Nick Lowe wrote:
> You derive it based on the TLS version.
>
> SSL_export_keying_material() is fine to use as all OpenSSL versions
> that implement TLS 1.2 support this.
>
> Falling back where it is not available is therefore fine.
For existing cases, yes, that was the case. With TLS v1.2 getting
enabled for EAP-FAST with some new OpenSSL versions, additional changes
are needed. That's why the fallback does now have support for TLS v1.2
-based key derivation:
http://w1.fi/cgit/hostap/commit/?id=16bc3b8935c3f37ea79ff511a36e77d52ab94da7
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list