summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
2456264)
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
#define TLS_CONN_EAP_FAST BIT(7)
#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
#define TLS_CONN_EAP_FAST BIT(7)
+#define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
/**
* struct tls_connection_params - Parameters for TLS connection
/**
* struct tls_connection_params - Parameters for TLS connection
#endif /* SSL_clear_options */
#endif /* SSL_OP_NO_TICKET */
#endif /* SSL_clear_options */
#endif /* SSL_OP_NO_TICKET */
+#ifdef SSL_OP_NO_TLSv1
+ if (params->flags & TLS_CONN_DISABLE_TLSv1_0)
+ SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1);
+ else
+ SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1);
+#endif /* SSL_OP_NO_TLSv1 */
#ifdef SSL_OP_NO_TLSv1_1
if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_1
if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
if (os_strstr(txt, "tls_disable_session_ticket=0"))
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
if (os_strstr(txt, "tls_disable_session_ticket=0"))
params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
+ if (os_strstr(txt, "tls_disable_tlsv1_0=1"))
+ params->flags |= TLS_CONN_DISABLE_TLSv1_0;
+ if (os_strstr(txt, "tls_disable_tlsv1_0=0"))
+ params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;
if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
params->flags |= TLS_CONN_DISABLE_TLSv1_1;
if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
params->flags |= TLS_CONN_DISABLE_TLSv1_1;
if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
# EAP workarounds are disabled with eap_workaround=0.
# For EAP-FAST, this must be set to 0 (or left unconfigured for the
# default value to be used automatically).
# EAP workarounds are disabled with eap_workaround=0.
# For EAP-FAST, this must be set to 0 (or left unconfigured for the
# default value to be used automatically).
+# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
# that have issues interoperating with updated TLS version)
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
# that have issues interoperating with updated TLS version)
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers