EAP-TLS disabling TLS Session reuse and SSL_CTX_set_options( SSL_OP_NO_TICKET)

Phillips, Owain owain.phillips
Tue Apr 3 03:24:18 PDT 2012


I am using wpa_supplicant 0.7.3 and openssl 0.9.8q.

I get some issue using Cisco ACS 5.2 and wpa_supplicant in EAP-TLS mode. Wpa_supplicant seems to be trying to use TLS Session resuse and this is leading to failed authentications and the access switch I am connected to sending me an EAP-Failure.

I have tried to disable TLS Session reuse using the "fast_reauth=0" config option; this did not work.

One of my colleagues who has disabled session reuse for other sub-systems on our HW disabled the session reuse using SSL_CTX_set_options( ctx, SSL_OP_NO_TICKET) for his SSL contexts.
I have patched the same fix into wpa_supplicant and seen this stops wpa_supplicant offering the session reuse and stops my failed reauthentications; all works fine.

Now I would like to run with the standard unadulterated wpa_supplicant. Are there any plans to disable session reuse using this SSL_CTX_set_options(); which appears to be the standard way of disabling session reuse in OpenSSL?

I have then seen you have produced a set of patches to openSSL to do with session reuse and tls extensions. I believe the OpensSSL 0.9.8q sends TLS Extensions by default.

Can someone please recommend to me how to proceed. Currently my least path of resistance seems to be to produce my own patch for wpa_supplicant?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120403/450b9642/attachment.htm 

More information about the Hostap mailing list