wpa_supplicant/NM fallback to WPA?

Johannes Berg johannes at sipsolutions.net
Tue May 6 17:16:25 EDT 2008


> Yeah.. The problem here is that this AP is broken in a way that could
> lead to compromised security since supplicant will not be able to verify
> that the advertised RSN IE matches with the signed one.. In theory, one
> could try to use WPA in this type of case, but I don't really like the
> extra complexity that this would bring into AP selection.

Yeah, true. I guess we'll just have to make NM do the fallback ;)

> This AP seems to advertise
> both TKIP and CCMP as allowed pairwise ciphers, but only includes the
> negotiated pairwise cipher suite in msg 3/4. By doing so, it breaks the
> protection against downgrade attacks..

Fun...

> WPA: IE in 3/4 msg does not match with IE in Beacon/ProbeResp
> WPA: RSN IE in Beacon/ProbeResp - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 02 00 0f ac 04 01 00 00 0f ac 02 01 00
> WPA: RSN IE in 3/4 msg - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 02 01 00

I can't parse that manually quickly so I'll trust you on it :)

> Quick Google search for this AP seemed to bring lots of pages with
> things like "funktioniert nicht" and "keine Verbindung", so maybe you
> are not the only one seeing this problem.. The connection would likely
> fail with any WPA2-enabled (and correctly implemented ;-) client..

Heh. Looks like.

> My guess would be that this could work fine if the AP were configured to
> use "Nur WPA2" in the Sicherheit | Verschlüsselungsmethode.. I would
> assume WPA/WPA2 is the default, though, and that results in this problem
> with RSN.

I haven't got a clue, it's not my AP and I can't reconfigure it (well I
can probably guess the password but would rather not muck with it)

> Would you happen to have any idea how common those APs are? If I
> understood correctly, this is a telco/ISP-branded AP from a large ADSL
> provider, so there may very well be quite a few of those APs around..

Yeah, Arcor is a large German telco/ADSL provider and I guess they
ship(ped) this or similar APs to each of their customers that buys ADSL.

johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20080506/03127724/attachment.pgp 


More information about the HostAP mailing list