On Wed, 2019-01-09 at 01:39 +0200, Jouni Malinen wrote: > On Tue, Jan 08, 2019 at 10:18:28AM -0600, Dan Williams wrote: > > Perhaps I don't fully understand, but wouldn't pmf=1 try to enable > > PMF > > for all SSIDs if supported by SSID/driver, even if the user does > > not > > actually want to use PMF on that SSID? > > Global pmf=1 would make wpa_supplicant try to use PMF for all RSN > (WPA2) > connections if the AP advertises support for this. This should really > be > the default behavior for everything now and I don't see much of a use > case for the user to try to not use PMF. (And if there is such a use > case, ieee80211w=0 in the network profile can be used to override the > global pmf=1). Ok, that seems like an acceptable override behavior to allow users to turn it off per-SSID if for some reason they don't want it. I'll pass that along. Thanks! Dan > > Usually NetworkManager tries to have per-SSID switches for things, > > because there are times when a network advertises a feature that > > you > > don't actually want to use for whatever reason (it's broken on one > > side > > but still advertised, or has some drawbacks that certain users > > don't > > want to accept, etc). > > Other than some conformance/protocol testing purposes, I'm not sure > why > PMF would not be used. I guess working around a broken AP could be > one > reason, but I'm not aware of such cases and even if that were to be > the > case, I'd claim that global pmf=1 and network profile specific > possibility to disable that would be better approach here. > > Please also note that I'm planning on changing the default value for > the > global pmf parameter to be 1 instead 0 in the next wpa_supplicant > release, i.e., enabling PMF automatically unless it has been > explicitly > disabled with pmf=0 or network profile specific ieee80211w=0. > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
