Re: wpa_supplicant 2.4 / 2.5 Openssl TLS-PRF Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1 Apr 2016, at 12:34, Jouni Malinen wrote:

On Fri, Apr 01, 2016 at 11:37:40AM +0200, Thomas Rosenstein wrote:
OpenSSL Version is 1.0.1k-fips 8 Jan 2015 from Fedora 22.

Any idea which version they changed it?

The issue I was thinking of was fixed with this commit:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4fdf917

It was present in OpenSSL 1.0.1f but should be fixed in 1.0.1h and I'd
assume that would include 1.0.1k in Fedora if that really is based on
1.0.1k and not just some important fixes being pulled into an earlier
snapshot. I think this issue is still present in the Ubuntu 14.04
package for example, but that is identified as 1.0.1f-1ubuntu2.18.

It's identified as package openssl.x86_64 1:1.0.1k-14.fc22


So if it is not that one, then something else.. Which TLS cipher suite
are you using here and what kind of X.509 certificate(s) (mainly, the
signature algorithms)?

sha256WithRSAEncryption

It's a public certificate, other side is openssl from NodeJS.

I'm now using TLSv1_server_method to mitigate the issue (since it only happens with TLS1.2) before that I used TLS_method as secureProtocol method.

Please note that the hash function changes and
the wpa_supplicant implementation of the internal key derivation does
not support this correctly for some cases (which is one of the reason
for that use of SSL_export_keying_material() being used in the first
place).

I'm only aware of the change SHA1-MD5 -> SHA256 with the transition from TLS1.1 to TLS1.2.

Are there other algorithms in use?

I know that with 2.3 the TLS1.2 was not implemented correctly, with 2.5 I believe there's a commit adding the functionality.


--
Jouni Malinen PGP id EFC895FA


Thomas

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux