<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi J,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Find attached the patch I applied to wpa_supplicant to disable TLS session reuse.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>All the best,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Owain<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Phillips, Owain <br><b>Sent:</b> 02 April 2012 13:13<br><b>To:</b> 'j@w1.fi'<br><b>Cc:</b> 'hostap@lists.shmoo.com'<br><b>Subject:</b> FW: EAP-TLS and TLS Session reuse in 0.7.3<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Hi Mr.Malinen,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I understand you are very busy but I wondered if you had commented on my post.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Kind Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Owain.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Phillips, Owain <br><b>Sent:</b> 29 March 2012 13:35<br><b>To:</b> 'hostap@lists.shmoo.com'<br><b>Subject:</b> EAP-TLS and TLS Session reuse in 0.7.3<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am using EAP-TLS on wpa_supplicant 0.7.3 with Cisco ACS 5.2.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am seeing the WPA_Supplicant offer a session ticket in the TLS exchange.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I would like to disable the session reuse and prevent the wpa_supplicant from offering session reuse in its Client Hello but how?<o:p></o:p></p><p class=MsoNormal>I tried using the “fast_reauth=0” configuration option, but this appeared not to stop the TLS extension being sent in the hello. (is this only relevant for EAP-FAST?)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I then patched the wpa_supplicant adding the call to SSL_CTX_set_options( SSL_OP_NO_TICKET) for the SSL context. This appears to have worked, but I know this is not the right way to go about things; I really want to use the unadulterated vanilla wpa_supplicant. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>What is the correct way to ensure that we DON’t use TLS session reuse with wpa_supplicant?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am using openSSL 0.9.8q-2 SSL libraries.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All the best,<o:p></o:p></p><p class=MsoNormal>Owain<o:p></o:p></p></div></body></html>