On Tue, Jan 08, 2019 at 10:18:28AM -0600, Dan Williams wrote: > Perhaps I don't fully understand, but wouldn't pmf=1 try to enable PMF > for all SSIDs if supported by SSID/driver, even if the user does not > actually want to use PMF on that SSID? Global pmf=1 would make wpa_supplicant try to use PMF for all RSN (WPA2) connections if the AP advertises support for this. This should really be the default behavior for everything now and I don't see much of a use case for the user to try to not use PMF. (And if there is such a use case, ieee80211w=0 in the network profile can be used to override the global pmf=1). > Usually NetworkManager tries to have per-SSID switches for things, > because there are times when a network advertises a feature that you > don't actually want to use for whatever reason (it's broken on one side > but still advertised, or has some drawbacks that certain users don't > want to accept, etc). Other than some conformance/protocol testing purposes, I'm not sure why PMF would not be used. I guess working around a broken AP could be one reason, but I'm not aware of such cases and even if that were to be the case, I'd claim that global pmf=1 and network profile specific possibility to disable that would be better approach here. Please also note that I'm planning on changing the default value for the global pmf parameter to be 1 instead 0 in the next wpa_supplicant release, i.e., enabling PMF automatically unless it has been explicitly disabled with pmf=0 or network profile specific ieee80211w=0. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
