On Tue, Oct 25, 2022 at 07:35:10PM +0000, Jeffery Miller wrote: > Add the `sae_check_mfp` global option to limit SAE when PMF will > not be selected for the connection. > With this option SAE is avoided when the hardware is not capable > of PMF due to missing ciphers. > With this option SAE is avoided on capable hardware when the AP > does not enable PMF. > > Allows falling back to PSK on drivers with the > WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher > necessary for PMF. This enables configurations that can fall back > to WPA-PSK and avoid problems associating with APs configured > with `sae_require_mfp=1`. > > Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks > are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE". > In this configuration if the device is unable to use PMF due to > lacking BIP group ciphers it will avoid SAE and fallback to > WPA-PSK for that connection. Thanks, applied. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
