[LEDE-DEV] [PATCH 3/3] hostapd/wpa_supplicant: require SHA256-based algorithms for ieee80211w=2
Stijn Tintel
stijn at linux-ipv6.be
Tue Dec 27 19:33:57 PST 2016
On 27-12-16 12:57, Stijn Tintel wrote:
> While the standard does not require SHA256-based algorithms when PFM is
> mandatory, there's not much of a point in keeping the old algorithms
> enabled.
>
> See http://lists.shmoo.com/pipermail/hostap/2014-November/031283.html
Please ignore this patch, I am going to drop it for the following reasons:
- When ieee80211w is not defined, wpa_key_mgmt is not added to the
hostapd config at all. While I am still able to associate like that,
this might cause unexpected behaviour with future hostapd releases.
- When ieee80211w=2 and only WPA-PSK-SHA256 is enabled, my OnePlus 2
(Android 6.0.1) is unable to associate. When WPA-PSK is also enabled, it
associates fine. So this change has the potential to break existing
setups with ieee80211w=2. While it might not make much sense to have
WPA-PSK with PMK required, it does protect against a simple deauth attack.
Stijn
More information about the Lede-dev
mailing list