[PATCH v3 0/2] EAP-{TTLS,PEAP} support (draft) for TLS 1.3

Alexander Clouter alex at digriz.org.uk
Sat Feb 20 12:03:04 EST 2021


On Sat, 20 Feb 2021, at 16:25, Jouni Malinen wrote:
> On Fri, Oct 16, 2020 at 09:49:34AM +0100, Alexander Clouter wrote:
> > Support TLS 1.3 for EAP-{TTLS,PEAP} as described in
> > draft-ietf-emu-tls-eap-types and tested against FreeRADIUS[1].
> > 
> > [1] https://github.com/FreeRADIUS/freeradius-server/pull/3517
> > Alexander Clouter (2):
> >   EAP-TTLS/PEAP peer: fix failure when using session tickets under TLS 1.3
> >   EAP peer/server: support for draft-ietf-emu-tls-eap-types-00
> Thanks, applied with some cleanup. In particular, I split patch 2/2 into
> smaller commits to make it easier to understand what is being changed.

Thank you for this in particular where you put your time into fixing them up.

> I also replaced the references to the draft-ietf-emu-eap-tls13
> draft to use the revision -13 explicitly instead of the latest version
> since it looks like the Commitment Message implementation does not
> really match what is there now in -14 that came out after these patches
> were posted.

There is a lively debate underway on the emu mailing list on what to do here and no doubt soon I will need to update hostap to track further changes.

My understanding is that though replacing the commitment message (revision-13) with a SSL close_notify (revision-14) works for EAP-TLS, it makes things a little fruity for TTLS/PEAP especially around session resumption and how to signal types of errors (unknown CA, etc).

Time will tell, but I do plan to provide further patches once the dust settles to hostap; maybe like FreeRADIUS currently has where a configuration toggle to flip between these different signalling methods is offered. 


Alexander Clouter

More information about the Hostap mailing list