GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support

Simon Josefsson jas at
Thu Dec 15 04:00:05 EST 2005

Jouni Malinen <jkmaline at> writes:

> On Wed, Dec 14, 2005 at 02:37:02PM +0100, Simon Josefsson wrote:
>> We are pleased to present a customized version of GnuTLS 1.2.8 that
>> adds an implementation of the TLS Inner Application (TLS/IA) protocol.
>> The goal is to merge this TLS/IA branch with the main development
>> branch (1.3.x) and then to investigate how EAP-TTLSv1 can be
>> implemented.  We invite suggestions and comments on these matters.
> This is interesting and welcome development to see in an open source TLS
> library.


> I've considered implementing EAP-TTLSv1, but haven't so far had
> enough interest to start working on it; partly because of it
> involving changes to the TLS library.

I understand.  I think we'd like to have EAP-TTLSv1 implemented, and I
may start working on that.

> I've implemented EAP-TTLSv0 in wpa_supplicant (EAP peer) and hostapd
> (EAP authenticator/authentication server). Both of these programs use an
> internal TLS wrapper interface to allow different TLS libraries to be
> used. In case of wpa_supplicant, there is enough functionality to run
> EAP-TTLSv0 with both OpenSSL and GnuTLS.

I did look at the code, and found this modularization neat.  I did
wonder whether the GnuTLS wrapper was complete enough for EAP-TTLSv0
to work, so you answered one of my questions here.

Is there anything the GnuTLS wrapper in wpa_supplicant does not
support?  I.e., is there ever a need to use OpenSSL?  If feasible,
we'd like for distributors of wpa_supplicant (like Debian) to use
wpa_supplicant with GnuTLS, so that EAP-TTLSv1 can work.

Another question: I also see there is a TLS wrapper for Schannel.
Does EAP-TTLSv0 in wpa_supplicant work under Windows?  Does it use the
Windows SSPI credential store and CA certificates?  In general, how
complete is the Windows support in wpa_supplicant?

> One of the things I'm currently going through in the new development
> branch is cleanup on various internal interfaces and one of these would
> indeed be the TLS wrapper interface. This would be a good point to also
> take a look at what kind of functionality would be needed to add support
> for using TLS/IA and start extending EAP-TTLS code to support version 1.

Ok.  I may be able to help with some of that.


More information about the HostAP mailing list