wpa-supplicant EAP-TLS Key derivation TLS 1.2

Jouni Malinen j
Fri Aug 28 09:08:54 PDT 2015

On Fri, Aug 28, 2015 at 03:28:52PM +0100, Nick Lowe wrote:
> You derive it based on the TLS version.
> SSL_export_keying_material() is fine to use as all OpenSSL versions
> that implement TLS 1.2 support this.
> Falling back where it is not available is therefore fine.

For existing cases, yes, that was the case. With TLS v1.2 getting
enabled for EAP-FAST with some new OpenSSL versions, additional changes
are needed. That's why the fallback does now have support for TLS v1.2
-based key derivation:

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list