EAP-TLS and TLS Session reuse in 0.7.3

Phillips, Owain owain.phillips
Thu Apr 5 03:16:57 PDT 2012

Hi J,

Find attached the patch I applied to wpa_supplicant to disable TLS session reuse.

All the best,

From: Phillips, Owain
Sent: 02 April 2012 13:13
To: 'j at w1.fi'
Cc: 'hostap at lists.shmoo.com'
Subject: FW: EAP-TLS and TLS Session reuse in 0.7.3

Hi Mr.Malinen,

I understand you are very busy but I wondered if you had commented on my post.

Kind Regards,

From: Phillips, Owain
Sent: 29 March 2012 13:35
To: 'hostap at lists.shmoo.com'
Subject: EAP-TLS and TLS Session reuse in 0.7.3


I am  using EAP-TLS on wpa_supplicant 0.7.3 with Cisco ACS 5.2.

I am seeing the WPA_Supplicant offer a session ticket in the TLS exchange.

I would like to disable the session reuse and prevent the wpa_supplicant from offering session reuse in its Client Hello but how?
I tried using the "fast_reauth=0" configuration option, but this appeared not to stop the TLS extension being sent in the hello. (is this only relevant for EAP-FAST?)

I then patched the wpa_supplicant adding the call to SSL_CTX_set_options( SSL_OP_NO_TICKET) for the SSL context. This appears to have worked, but I know this is not the right way to go about things; I really want to use the unadulterated vanilla wpa_supplicant.

What is the correct way to ensure that we DON't use TLS session reuse with wpa_supplicant?

I am using openSSL 0.9.8q-2 SSL libraries.

All the best,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120405/03fd4585/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0.7.3NoSessionReuse.patch
Type: application/octet-stream
Size: 545 bytes
Desc: 0.7.3NoSessionReuse.patch
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20120405/03fd4585/attachment-0001.obj 

More information about the Hostap mailing list