Choosing Cipher

Jouni Malinen jkmaline at
Wed Sep 27 23:17:51 EDT 2006

On Tue, Sep 19, 2006 at 02:25:45PM -0700, Donnie Wishard wrote:
> I am new to the wpa supplicant and have a question.  I am trying to use this
> in a way that will not infringe on any cipher patents (RSA Idea etc).  I
> have built OpenSSL without the ciphers however the supplicant will not build
> when I remove RSA from OpenSSL.  That leads me to the following questions:
> 1)  Does the supplicant use a certain cipher by default, and can i change
> that default.

No, by default TLS library (e.g., OpenSSL) takes care of selecting
which cipher to use.

> 2)  How do I dictate which ciphers the supplicant will use.

Currently, there is no exposed configuration option in wpa_supplicant
for setting the supported cipher list. In other words, whatever was
included in the TLS library will be used.

> The fact that it wont build without RSA in the OpenSSL dll leads me to
> believe that something from RSA is required for build.

RSA is very commonly used public key algorithm used with X.509
certificates. I have never tested disabling it, but I would assume that
this could be done. Anyway, I think that RSA patent expired already
(well, at least in US; I don't know whether it could still be valid
somewhere else).

> I guess I am just trying to figure out when / how the supplicant decides
> which cipher to use.

At the moment, this is all done in the TLS library and wpa_supplicant
does not limit the cipher selection (except for EAP-FAST which has
somewhat stricter rules on which cipher suite can be used).

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list