X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=wpa_supplicant%2Fwpa_supplicant.conf;h=3603cf3a9f686cb4f9aefe484649423229218c84;hb=5cdd729e26e21f75522b210fa54a1820fb7d5c93;hp=45bf518622de39f45ac3c0191b70f4ea8d93992c;hpb=22950049e40696ea1d578be54c217942be285b63;p=mech_eap.git diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 45bf518..3603cf3 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -168,10 +168,13 @@ ap_scan=1 fast_reauth=1 # OpenSSL Engine support -# These options can be used to load OpenSSL engines. +# These options can be used to load OpenSSL engines in special or legacy +# modes. # The two engines that are supported currently are shown below: # They are both from the opensc project (http://www.opensc.org/) -# By default no engines are loaded. +# By default the PKCS#11 engine is loaded if the client_cert or +# private_key option appear to be a PKCS#11 URI, and these options +# should not need to be used explicitly. # make the opensc engine available #opensc_engine_path=/usr/lib/opensc/engine_opensc.so # make the pkcs11 engine available @@ -197,7 +200,7 @@ fast_reauth=1 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so # Driver interface parameters -# This field can be used to configure arbitrary driver interace parameters. The +# This field can be used to configure arbitrary driver interface parameters. The # format is specific to the selected driver interface. This field is not used # in most cases. #driver_param="field=value" @@ -440,6 +443,28 @@ fast_reauth=1 # matching network block #auto_interworking=0 +# GAS Address3 field behavior +# 0 = P2P specification (Address3 = AP BSSID); default +# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when +# sent to not-associated AP; if associated, AP BSSID) +#gas_address3=0 + +# Publish fine timing measurement (FTM) responder functionality in +# the Extended Capabilities element bit 70. +# Controls whether FTM responder functionality will be published by AP/STA. +# Note that actual FTM responder operation is managed outside wpa_supplicant. +# 0 = Do not publish; default +# 1 = Publish +#ftm_responder=0 + +# Publish fine timing measurement (FTM) initiator functionality in +# the Extended Capabilities element bit 71. +# Controls whether FTM initiator functionality will be published by AP/STA. +# Note that actual FTM initiator operation is managed outside wpa_supplicant. +# 0 = Do not publish; default +# 1 = Publish +#ftm_initiator=0 + # credential block # # Each credential used for automatic network selection is configured as a set @@ -474,6 +499,10 @@ fast_reauth=1 # (EAP-TLS). Full path to the file should be used since working # directory may change when wpa_supplicant is run in the background. # +# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. +# +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Alternatively, a named configuration blob can be used by setting # this to blob://blob_name. # @@ -484,6 +513,9 @@ fast_reauth=1 # used since working directory may change when wpa_supplicant is run # in the background. # +# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Windows certificate store can be used by leaving client_cert out and # configuring private_key in one of the following formats: # @@ -880,9 +912,13 @@ fast_reauth=1 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # +# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used +# as the dot11RSNAConfigGroupRekeyTime parameter when operating in +# Authenticator role in IBSS. +# # Following fields are only used with internal EAP implementation. # eap: space-separated list of accepted EAP methods -# MD5 = EAP-MD5 (unsecure and does not generate keying material -> +# MD5 = EAP-MD5 (insecure and does not generate keying material -> # cannot be used with WPA; to be used as a Phase 2 method # with EAP-PEAP or EAP-TTLS) # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used @@ -973,23 +1009,23 @@ fast_reauth=1 # automatically converted into DH params. # subject_match: Substring to be matched against the subject of the # authentication server certificate. If this string is set, the server -# sertificate is only accepted if it contains this string in the subject. +# certificate is only accepted if it contains this string in the subject. # The subject string is in following format: # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com -# Note: Since this is a substring match, this cannot be used securily to +# Note: Since this is a substring match, this cannot be used securely to # do a suffix match against a possible domain name in the CN entry. For # such a use case, domain_suffix_match or domain_match should be used # instead. # altsubject_match: Semicolon separated string of entries to be matched against # the alternative subject name of the authentication server certificate. -# If this string is set, the server sertificate is only accepted if it +# If this string is set, the server certificate is only accepted if it # contains one of the entries in an alternative subject name extension. # altSubjectName string is in following format: TYPE:VALUE # Example: EMAIL:server@example.com # Example: DNS:server.example.com;DNS:server2.example.com # Following types are supported: EMAIL, DNS, URI # domain_suffix_match: Constraint for server domain name. If set, this FQDN is -# used as a suffix match requirement for the AAAserver certificate in +# used as a suffix match requirement for the AAA server certificate in # SubjectAltName dNSName element(s). If a matching dNSName is found, this # constraint is met. If no dNSName values are present, this constraint is # matched against SubjectName CN using same suffix match comparison. @@ -1175,6 +1211,11 @@ fast_reauth=1 # Beacon interval (default: 100 TU) #beacon_int=100 +# WPS in AP mode +# 0 = WPS enabled and configured (default) +# 1 = WPS disabled +#wps_disabled=0 + # MAC address policy # 0 = use permanent MAC address # 1 = use random MAC address for each ESS connection @@ -1237,13 +1278,13 @@ fast_reauth=1 ##### Fast Session Transfer (FST) support ##################################### # # The options in this section are only available when the build configuration -# option CONFIG_FST is set while compiling hostapd. They allow this interface -# to be a part of FST setup. +# option CONFIG_FST is set while compiling wpa_supplicant. They allow this +# interface to be a part of FST setup. # # FST is the transfer of a session from a channel to another channel, in the # same or different frequency bands. # -# For detals, see IEEE Std 802.11ad-2012. +# For details, see IEEE Std 802.11ad-2012. # Identifier of an FST Group the interface belongs to. #fst_group_id=bond0 @@ -1576,22 +1617,10 @@ network={ group=CCMP TKIP identity="user@example.com" ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - - engine=1 - - # The engine configured here must be available. Look at - # OpenSSL engine support in the global section. - # The key available through the engine must be the private key - # matching the client certificate configured above. - - # use the opensc engine - #engine_id="opensc" - #key_id="45" - # use the pkcs11 engine - engine_id="pkcs11" - key_id="id_45" + # Certificate and/or key identified by PKCS#11 URI (RFC7512) + client_cert="pkcs11:manufacturer=piv_II;id=%01" + private_key="pkcs11:manufacturer=piv_II;id=%01" # Optional PIN configuration; this can be left out and PIN will be # asked through the control interface