wpa-supplicant EAP-TLS Key derivation TLS 1.2

Jānis Čoders janis.coders at gmail.com
Fri Aug 28 10:07:14 EDT 2015

Hi, I am developing 802.1x client/authenticator and radius server with
EAP method support and
got confused about key derivation.

In rfc5216#section-2.3 (EAP-TLS) it is stated that key derivation is
done using TLS pseudo
random function:
TLS-PRF-X =     TLS pseudo-random function defined in [RFC4346],
                   computed to X octets.
and it links to RFC with TLS version 1.1.

*) So the question is - does that mean that EAP-TLS must
derive keys using TLS 1.1 version OR it must derive key according to
which TLS version was
used by making the tunnel?

1) IF key must be derived in all cases as in TLS 1.1, then we can't
use openssl library's function
SSL_export_keying_material(), because it seems to derive according to
used TLS version.

2) IF key must be derived according to used TLS version, then using
is fine, but that function is available only from newer version
(tls_openssl.c) :


and if this fails then wpa_supplicant fallbacks to using
internal/custom functions, which derives
keys accoridng to TLS 1.1. So it would fail in case there is openssl
on the other side, which
uses SSL_export_keying_material().

Also I think the same applies to EAP-TTLS (maybe even PEAP/FAST/LEAP)

Ar cieņu,
Jānis Čoders

More information about the HostAP mailing list