On Thu, Mar 31, 2022 at 12:19:30PM +0200, Mathias wrote: > Thanks for the quick reply. My wifi router is set to accept both TKIP > and AES so I thought that wpa_supplicant and the router would negotiate > to use AES in this case, instead of refusing to connect. Gentoo has a > way of letting me mess with build flags that I suppose controls > CONFIG_NO_TKIP and, this way, 2.10 is now working for me. > > However, if I wanted to run wpa_supplicant with TKIP disabled, I would > still expect it to connect to an AP that allows both AES and TKIP. While such an AP allows the pairwise cipher (i.e., unicast data) to be negotiated to use CCMP (AES), that configuration will result in the group cipher (i.e., multicast/broadcast data) to use TKIP. CONFIG_NO_TKIP=y removes all support of TKIP and it will prevent connections with this type of an AP. As such, I'm a bit surprised if someone is already defining that for general purpose builds. It would be more reasonable to use runtime configuration to disallow use of TKIP as the pairwise cipher and allow TKIP to be used as the group cipher as long as this type of WPA2-Personal mixed mode AP configuration continues to be used widely. The runtime configuration can also disallow use of TKIP as the group cipher on per-network basis, so CONFIG_NO_TKIP=y is not really needed to prevent TKIP from being used. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
