[PATCH v3 0/2] EAP-{TTLS,PEAP} support (draft) for TLS 1.3
Alexander Clouter
alex at digriz.org.uk
Sat Feb 20 12:03:04 EST 2021
Hello,
On Sat, 20 Feb 2021, at 16:25, Jouni Malinen wrote:
> On Fri, Oct 16, 2020 at 09:49:34AM +0100, Alexander Clouter wrote:
> > Support TLS 1.3 for EAP-{TTLS,PEAP} as described in
> > draft-ietf-emu-tls-eap-types and tested against FreeRADIUS[1].
> >
> > [1] https://github.com/FreeRADIUS/freeradius-server/pull/3517
>
> > Alexander Clouter (2):
> > EAP-TTLS/PEAP peer: fix failure when using session tickets under TLS 1.3
> > EAP peer/server: support for draft-ietf-emu-tls-eap-types-00
>
> Thanks, applied with some cleanup. In particular, I split patch 2/2 into
> smaller commits to make it easier to understand what is being changed.
Thank you for this in particular where you put your time into fixing them up.
> I also replaced the references to the draft-ietf-emu-eap-tls13
> draft to use the revision -13 explicitly instead of the latest version
> since it looks like the Commitment Message implementation does not
> really match what is there now in -14 that came out after these patches
> were posted.
There is a lively debate underway on the emu mailing list on what to do here and no doubt soon I will need to update hostap to track further changes.
My understanding is that though replacing the commitment message (revision-13) with a SSL close_notify (revision-14) works for EAP-TLS, it makes things a little fruity for TTLS/PEAP especially around session resumption and how to signal types of errors (unknown CA, etc).
Time will tell, but I do plan to provide further patches once the dust settles to hostap; maybe like FreeRADIUS currently has where a configuration toggle to flip between these different signalling methods is offered.
Regards
--
Alexander Clouter
More information about the Hostap
mailing list