Hi Jouni, On Sat, May 7, 2022 at 1:50 PM Jouni Malinen <j@xxxxx> wrote: > On Thu, May 05, 2022 at 08:56:18AM +0200, Alan DeKok wrote: > > > On May 4, 2022, at 6:16 PM, Jouni Malinen <j@xxxxx> wrote: > > > > > I'll probably add at least this into wpa_supplicant with a clear > > > event message identifying this specific issue to upper layers > > > and a network-specific configuration parameter for enabling the > > > workaround (and a suitable set of warnings to recommend against > > > using this workaround in cases where the user care about real > > > security..). > > > > That seems best. This should likely not be enabled by default, > > and maybe even require special build options. > > This parameter is now available to (re-)enable the workaround in > OpenSSL 3.0 (phase1="allow_unsafe_renegotiation=1"): > https://w1.fi/cgit/hostap/commit/?id=566ce69a8d0e64093309cbde80235aa522fbf84e > > And upper layer components can use this notification to get a clear > indication when this workaround would be needed: > https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Would you be willing to accept a patch to change the name of this option from: allow_unsafe_renegotiation to: allow_legacy_server_connect ? Per OpenSSL (1), there are two options related to RFC5746 (2) checking: SSL_OP_LEGACY_SERVER_CONNECT: Permit OpenSSL clients to connect to TLS servers that do not indicate support for RFC5746 secure renegotiation in the initial TLS handshake. This is the only behavior enabled by this option. In particular, both OpenSSL clients and servers will continue to reject renegotiation attempts from a client/server that did not indicate support for RFC5746 secure renegotiation during the initial TLS handshake. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION: Ignore all lack of RFC5746 secure renegotiation support in either a client or server context. Not only does this permit OpenSSL clients to connect to TLS servers that do not indicate support for RFC5746 secure renegotiation during the initial TLS handshake, but it additionally means that both OpenSSL clients and servers will always permit renegotiation, even if the client/server did not indicate support for RFC5746 secure renegotiation during the initial TLS handshake. This option is *dangerous*, and should almost never be enabled, because it makes OpenSSL server instances vulnerable to the man-in-the-middle attack described in RFC5746. For those familiar with OpenSSL, naming the wpa_supplicant option “allow_unsafe_renegotiation” gives the impression that it is enabling the dangerous SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option under the hood. But it isn’t; it is setting SSL_OP_LEGACY_SERVER_CONNECT: #ifdef SSL_OP_LEGACY_SERVER_CONNECT if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); #endif /* SSL_OP_LEGACY_SERVER_CONNECT */ This is really, really confusing, and it is causing consternation for the NetworkManager folks (3) (4), because they now have two choices, both unpalatable: 1. Name the NetworkManager option “allow unsafe renegotiation” in order to match what wpa_supplicant calls the option, despite the fact that it makes it seem like this will set SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. 2. Name the NetworkManager option “allow_legacy_server_connect” to correctly reflect the underlying OpenSSL option that is being enabled, which will be confusing because the NetworkManager “allow_legacy_server_connect” option will in fact toggle the wpa_supplicant “allow_unsafe_renegotiation” option. I would gently suggest the best course of action here is to change the name of the wpa_supplicant option to better reflect the OpenSSL option that is being toggled by that option: that is, change the wpa_supplicant option name from “allow_unsafe_renegotiation” to “allow_legacy_server_connect”. There hasn’t been a new hostap release since commits 566ce69a/a561d12d, so changing the option name from allow_unsafe_renegotiation to allow_legacy_server_connect won’t break anyone or any configurations (except possible people building hostap from the main branch who manually set the option). Thoughts? (1) https://www.openssl.org/docs/man3.0/man3/SSL_clear_options.html#SECURE-RENEGOTIATION (2) https://datatracker.ietf.org/doc/html/rfc5746 (3) https://bugzilla.redhat.com/show_bug.cgi?id=2072070 (4) https://bugzilla.redhat.com/show_bug.cgi?id=2077973 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
