74cc861970
https://www.top10vpn.com/research/wifi-vulnerabilities/ PEAP client: Update Phase 2 authentication requirements The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. Allow Phase 2 authentication behavior to be configured with a new phase1 configuration parameter option: 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS tunnel) behavior for PEAP: * 0 = do not require Phase 2 authentication * 1 = require Phase 2 authentication when client certificate (private_key/client_cert) is no used and TLS session resumption was not used (default) * 2 = require Phase 2 authentication in all cases |
||
|---|---|---|
| .. | ||
| ap | ||
| common | ||
| crypto | ||
| drivers | ||
| eap_common | ||
| eap_peer | ||
| eap_server | ||
| eapol_auth | ||
| eapol_supp | ||
| fst | ||
| l2_packet | ||
| p2p | ||
| pae | ||
| radius | ||
| rsn_supp | ||
| tls | ||
| utils | ||
| wps | ||
| Makefile | ||
| lib.rules | ||