wpa-supplicant EAP-TLS Key derivation TLS 1.2

Jouni Malinen j at w1.fi
Fri Aug 28 12:08:54 EDT 2015


On Fri, Aug 28, 2015 at 03:28:52PM +0100, Nick Lowe wrote:
> You derive it based on the TLS version.
> 
> SSL_export_keying_material() is fine to use as all OpenSSL versions
> that implement TLS 1.2 support this.
> 
> Falling back where it is not available is therefore fine.

For existing cases, yes, that was the case. With TLS v1.2 getting
enabled for EAP-FAST with some new OpenSSL versions, additional changes
are needed. That's why the fallback does now have support for TLS v1.2
-based key derivation:
http://w1.fi/cgit/hostap/commit/?id=16bc3b8935c3f37ea79ff511a36e77d52ab94da7

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list