Alan DeKok wrote:
On Dec 12, 2018, at 3:48 PM, Andrej Shadura <andrew.shadura@xxxxxxxxxxxxxxx> wrote:
On 05/12/2018 09:52, Andrej Shadura wrote:
On 05/12/2018 00:09, Jouni Malinen wrote:
Right, so what would you recommend for me to do in the meanwhile?
Hardcode a minimal version just for wpa-supplicant to TLSv1.0? What
about ciphers? Anything else?
I would really appreciate some opinion from Jouni or other people on
this list.
My $0.02 is to have an "allow TLSv1.0" configuration option, but have it disabled by default. It's what we do in FreeRADIUS.
It's arguably bad in minor ways to allow TLSv1.0. But preventing people from getting online is likely worse.
I'll +1 this. It shits me no end that java and browsers have dropped
SSLv2/3+TLSv1.0 in the name of security with no option to turn it on. I
have some embedded hardware that is only accessible over VPN on a
dedicated network that I have to run an old OS with old Java and old
browsers to access. Sure it's a major security issue, but hell why can
we not have options to force it on (even if the code is built to turn it
back off after a set amount of time) for those that actually know what
they are doing...?
I'll go get coffee now...
--
Michelle Sullivan
http://www.mhix.org/
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap