Re: [PATCH 1/3] TLS: remove tls_config.openssl_ciphers

Jouni Malinen <j@xxxxx> · Mon, 8 May 2017 18:46:59 +0300

On Thu, Apr 20, 2017 at 02:32:42PM +0100, Hristo Venev wrote:
> It is already present in tls_connection_params.

Could you please clarify how this would maintain the current behavior as
far as setting the default value to "DEFAULT:!EXP:!LOW" is concerned?
The only reference to that string disappears with this patch..

>  wpa_supplicant/config_file.c   | 29 ++++-------------------------
>  wpa_supplicant/config_winreg.c | 23 +++++------------------

And those changes in config_*.c do not seem to have anything to do with
openssl_ciphers. Why are they included in this patch?

> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> @@ -1022,18 +1021,6 @@ void * tls_init(const struct tls_config *conf)
>  	}
>  #endif /* OPENSSL_NO_ENGINE */
>  
> -	if (conf && conf->openssl_ciphers)
> -		ciphers = conf->openssl_ciphers;
> -	else
> -		ciphers = "DEFAULT:!EXP:!LOW";
> -	if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {

this is the only place where "DEFAULT:!EXP:!LOW" was used.. After this
patch, it looks like there would be no SSL_CTX_set_cipher_list() unless
the configuration has a specific parameter.

> diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
> @@ -2573,6 +2573,14 @@ struct wpa_ssid * wpa_config_add_network(struct wpa_config *config)
>  		return NULL;
>  	ssid->id = id;
>  	dl_list_init(&ssid->psk_list);
> +
> +	if (config->openssl_ciphers != NULL) {
> +		ssid->eap.openssl_ciphers = os_strdup(config->openssl_ciphers);
> +		if (ssid->eap.openssl_ciphers == NULL)
> +			os_free(ssid);
> +			return NULL;
> +	}

This seems to assume that config->openssl_ciphers is set before adding a
new network block. That does not really necessarily be the case and
global openssl_ciphers changes should update behavior for existing
network blocks.

Or is this setting of the default here the reason for config_*.c changes
since they would now use wpa_config_add_network()? If so, please provide
more justification for doing these changes. The changes for reading the
network blocks and adding the networks one by one would be less
efficient due to having to assign the ssid->id and prio ordering
separately for each network block.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap