mrw wrote:
> Despite @ralphy's post, -wpa_supplicant- has been built (I think) with
> an "internal" TLS library, which apparently supports TLS v1. That may be
> why the author of "Raptors blog" claimed to be able to get somewhere
> back in 2011.
Well, I tried this out on an RPi based access point running -hostapd-,
which I set up to use its internal, (minimal ?), radius server.
At first it wouldn't work, but that's because the RPi system defaulted
to minimum TLS v1.2. When -hostapd- was persuaded to use TLS v1.0
(-tls_flags=[ENABLE-TLSv1.0]-) then, well, it worked.
Code:
--------------------
> wpa_cli status
<snip>
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
<snip>
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1
EAP TLS cipher=DHE-RSA-AES-256-SHA
tls_session_reused=0
<snip>
--------------------
I then tried it using @ralphy's modified -wpa_supplicant build-,
configured for for TLS 1.1 & 1.2. That, too, worked:
Code:
--------------------
> wpa_cli status
<snip>
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
<snip>
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=DHE-RSA-AES-256-SHA256
tls_session_reused=0
<snip>
--------------------
I had a number of false starts with this, with things behaving in a
somewhat peculiar manner. At one point I was finding myself seemingly
needing to put -phase1="tls_disable_tlsv1_0=1"- into
wpa_supplicant.conf's network configuration before it would work. But
then, mysteriously, I didn't. So that's probably a red herring, and I
remain a bit puzzled. But that's common with the Radio's wireless. :)
This change to hostapd/wpa_supplicant may be relevant:
https://w1.fi/cgit/hostap/commit/src/crypto/tls_openssl.c?id=cc9c4feccc5588137f66c40a4a6729476556853e
My wireless configuration:
Code:
--------------------
network={
ssid="MY SSID"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=TLS
identity="Anything"
ca_cert="/root/ca.pem"
client_cert="/root/clientcert.der"
private_key="/root/clientkey.der"
}
--------------------
The -identity- setting is necessary, even though the actual identity
seems to be irrelevant. The private key is not encrypted, so no password
needed.
So, in principal it seems to work, but I will say that, on restart, the
Radio does not always seem to get any DHCP configuration, even though it
does connect to the AP. Sometimes it does, sometimes it doesn't. That
may be a difficulty with my test AP arrangements. But it all seems a bit
delicate. I don't think I'll be pursuing it further.
------------------------------------------------------------------------
mrw's Profile: http://forums.slimdevices.com/member.php?userid=38299
View this thread: http://forums.slimdevices.com/showthread.php?t=114842
_______________________________________________
diy mailing list
[email protected]
http://lists.slimdevices.com/mailman/listinfo/diy
