Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?
Jouni Malinen
j
Fri Jul 10 13:10:56 PDT 2015
On Fri, Jul 10, 2015 at 09:02:11PM +0100, David Woodhouse wrote:
> On Fri, 2015-07-10 at 21:07 +0300, Jouni Malinen wrote:
> > However, I'd rather do that only in case this can really be shown to
> > be because of the incorrect MSK derivation.
>
> Yeah, that makes sense. In which case you'd still need the whole
> infrastructure to calculate the 'alternative' MSK. So we might as well
> stick with your existing patch which just *uses* the alternative MSK.
Yes, that sounds likely in practice.
> > it might be as simple to just have an out-of-tree patch available for
> > anyone who wants to build a binary with such a capability
>
> I don't think there's much benefit in that. If they're going to have to
> fight the lack of coherent error reporting to work out what the problem
> is, and then take remedial action, then they might as well just
> *configure* it not to use TLSv1.2. A patch is probably harder than the
> config change (although Dan we *will* need NetworkManager to be able to
> set it on demand according to the config).
>
> The benefit in a code-based 'fix' is only really if it can be merged by
> default and enabled whenever eap_workaround is set.
Agreed. eap_workaround is enabled by default, so for this to be
acceptable, that complexity of calculating the incorrect MSK would be
needed..
Once I get a bit more information on the scale of the issue (mainly,
whether it is only the two previously identified server components that
have clear fixes already available or whether there are some other
servers impacted as well with no easy fix), I'll figure out whether I
can convince myself to accept the workaround into hostap.git..
If you do get confirmation on the authentication server (ideally
including its version number) being from Cisco, I can also check with
the engineers directly to avoid going through normal support requests so
as to see if this could be fixed soon for wpa_supplicant not having to
care too much.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list