Re: [RFC] Disable TLSv1.0 by default, but allow enabling it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 04, 2018 at 01:00:08PM +0100, Andrej Shadura wrote:
> This patch is not intended to be merged into the upstream code, but I
> would still like to receive comments from people involved in development.
> 
> In the Debian bug reports #907518 and #911297 (see below), people complained
> that OpenSSL 1.1.1 disables TLSv1.0 and some other insecure settings by
> default, but some older networks may still require their support:

This is going to break lots of WLAN connections in practice..
Unfortunately, enterprise authentication servers are something that do
not really get updated easily and when something is updated, things
tends to break horribly.. For that to change, I guess there would need
to be a change in significant number of client devices (or something
very widely used device) to start rejecting the connections with a clear
message indicating that the issue is in the server and not something
that the client device can fix on its own.

In practice, though, wpa_supplicant may have to start overriding this
type of system-wide enforcement to prevent cases where the user has no
way of impact the authentication server operator, so something may need
to be merged into hostap.git to get more reasonable behavior than "not
working until server is updated (which may never happen)".

It should also be noted that use of TLS in EAP is quite different from
other cases like HTTPS, i.e., EAP uses very limited amount of
application data (or even none of it in case of EAP-TLS), so the impact
of various TLS issues with past versions may be different as well. There
are some clear cases like not allowing too short DH keys to be used
which can certainly be justified from security view point, but fully
disabling TLS v1.0 by default may not be something that EAP world is
ready for yet.. Some ciphers might also be possible to disable without
losing too much interoperability with currently deployed authentication
servers.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux