<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 4:23 PM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi" target="_blank">j@w1.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On Tue, Apr 08, 2014 at 05:51:08PM +0300, Jouni Malinen wrote:<br>
> A quick update on this.. I do have such a tool now, but I'm not planning<br>
> on making it public today or for couple of days to give some more time<br>
> for server side updates should any EAP server be vulnerable (it is way<br>
> too easy to convert that tool to an attack tool over wireless..).<br>
><br>
> Anyway, it looks like misuse of OpenSSL APIs prevents most attack<br>
> options for this case, so this may be somewhat less critical for EAP<br>
> servers compared to other uses of TLS. I tested with couple RADIUS<br>
> authentication servers and could not trigger the issue due to reasons<br>
> that I confirmed to be because of incorrect OpenSSL API use.. (For<br>
> completeness, I did fix one such case to verify that the test tool works<br>
> and to confirm that this was indeed "safer" due to incorrect API use.).<br>
<br>
</div>OK, that was a bit too optimistic. I found couple of cases where this<br>
vulnerability can be triggered over EAP, so no public availability for<br>
the test tool for now. Feel free to contact me privately if you have a<br>
justifiable use for such a test tool. I'll probably push it to<br>
eapol_test later once there has been some more time to get<br>
authentication servers updated.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Jouni Malinen PGP id EFC895FA<br>
_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</div></div></blockquote></div><br><br>Almost everything as to be patch , it is a mess.</div><div class="gmail_extra">I used a hostapd with a static openssl , hopeully radius is elsewhere</div><div class="gmail_extra">if i am thorough i should regenerate all certificate of clients because this machine hosted </div>
<div class="gmail_extra">an https website</div><div class="gmail_extra"><br></div><div class="gmail_extra">:'( </div><div class="gmail_extra"><div><br></div>-- <br><div>---------------------------------------------------------------------------------------------------------------------<br>
() ascii ribbon campaign - against html e-mail <br>/\ </div>
</div></div>