From 06836013d33b63c2aaa9bcde391e79a4113f101d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 28 Jul 2015 11:53:13 +0300 Subject: [PATCH] OpenSSL: Remove EAP-FAST TLSv1.0 only workaround for OpenSSL 1.1.0 The issue with the special form of TLS session tickets has been fixed in the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1 and 1.0.2 workaround is still in place until a release with the fix has been made. This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the OpenSSL versions that support this. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ea963c6..601ea93 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -3631,6 +3631,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, if (can_pkcs11 == 2 && !engine_id) engine_id = "pkcs11"; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (params->flags & TLS_CONN_EAP_FAST) { wpa_printf(MSG_DEBUG, "OpenSSL: Use TLSv1_method() for EAP-FAST"); @@ -3640,6 +3641,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } } +#endif while ((err = ERR_get_error())) { wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s", -- 2.1.4