On Thu, May 05, 2022 at 08:56:18AM +0200, Alan DeKok wrote: > On May 4, 2022, at 6:16 PM, Jouni Malinen <j@xxxxx> wrote: > > I'll probably add at least this into wpa_supplicant with a clear event > > message identifying this specific issue to upper layers and a > > network-specific configuration parameter for enabling the workaround > > (and a suitable set of warnings to recommend against using this > > workaround in cases where the user care about real security..). > > That seems best. This should likely not be enabled by default, and maybe even require special build options. This parameter is now available to (re-)enable the workaround in OpenSSL 3.0 (phase1="allow_unsafe_renegotiation=1"): https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e And upper layer components can use this notification to get a clear indication when this workaround would be needed: https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853 -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
