EAP-TLS disabling TLS Session reuse and SSL_CTX_set_options( SSL_OP_NO_TICKET)

Jouni Malinen j at w1.fi
Fri Apr 6 14:48:55 EDT 2012


On Tue, Apr 03, 2012 at 12:24:18PM +0200, Phillips, Owain wrote:
> I get some issue using Cisco ACS 5.2 and wpa_supplicant in EAP-TLS mode. Wpa_supplicant seems to be trying to use TLS Session resuse and this is leading to failed authentications and the access switch I am connected to sending me an EAP-Failure.

Are you sure this is because of TLS session reuse?

> I have tried to disable TLS Session reuse using the "fast_reauth=0" config option; this did not work.

This should disable TLS session reuse..

> One of my colleagues who has disabled session reuse for other sub-systems on our HW disabled the session reuse using SSL_CTX_set_options( ctx, SSL_OP_NO_TICKET) for his SSL contexts.

While this disables use of TLS Session Ticket extensions..

> I have patched the same fix into wpa_supplicant and seen this stops wpa_supplicant offering the session reuse and stops my failed reauthentications; all works fine.

Those two things are different. fast_reauth=0 disables TLS session
resumption.

> Now I would like to run with the standard unadulterated wpa_supplicant. Are there any plans to disable session reuse using this SSL_CTX_set_options(); which appears to be the standard way of disabling session reuse in OpenSSL?

No, because that is not the way to do that.. If you are talking about
disabling use of TLS Session Ticket extension that could be done.
However, it needs to be kept in mind that EAP-FAST requires this to be
enabled, so it is not fine to just unconditionally disable all use of
the ticket extension.

I would like to better understand what is failing in the default
configuration since I cannot reproduce this type of issues. Would you
be able to capture the EAP-TLS exchange both in the failing case and
then with change to make wpa_supplicant disable session ticket
extension?

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list