diff options
| author | Leorize <alaviss@users.noreply.github.com> | 2017-02-08 22:04:26 +0700 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2017-02-20 14:06:14 +0100 |
| commit | 8ce60a302af87c4e8d085ae2ee2735a2e5579174 (patch) | |
| tree | 5f7836910de5b9fd87c3fda52ad5af3f0023ac6e | |
| parent | e3a9f1b32aa10f332536eca1a18f1ff21930f69b (diff) | |
| download | NetworkManager-8ce60a302af87c4e8d085ae2ee2735a2e5579174.tar.gz | |
supplicant: allows disabling select TLS versions on phase 1 authentication
Some AAA servers have issues interoperating with select TLS versions,
which wpa_supplicant negotiates by default.
This commit allows disabling troubling versions of TLS so that
connecting to broken authentication servers could be possible.
| -rw-r--r-- | src/supplicant/nm-supplicant-config.c | 16 | ||||
| -rw-r--r-- | src/supplicant/nm-supplicant-settings-verify.c | 5 |
2 files changed, 20 insertions, 1 deletions
diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index 03bec72f6d..e67912cb5f 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -896,6 +896,7 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, const char *ca_path_override = NULL, *ca_cert_override = NULL; guint32 frag, hdrs; gs_free char *frag_str = NULL; + NMSetting8021xAuthFlags phase1_auth_flags; g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE); g_return_val_if_fail (setting != NULL, FALSE); @@ -982,6 +983,21 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, fast_provisoning_allowed = TRUE; } + phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags (setting); + if (phase1_auth_flags != NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) { + if (phase1->len) + g_string_append_c (phase1, ' '); + g_string_append_printf (phase1, "tls_disable_tlsv1_0=%d", + (NM_FLAGS_HAS (phase1_auth_flags, + NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0)) ? 1 : 0); + g_string_append_printf (phase1, " tls_disable_tlsv1_1=%d", + (NM_FLAGS_HAS (phase1_auth_flags, + NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1)) ? 1 : 0); + g_string_append_printf (phase1, " tls_disable_tlsv1_2=%d", + (NM_FLAGS_HAS (phase1_auth_flags, + NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2)) ? 1 : 0); + } + if (phase1->len) { if (!add_string_val (self, phase1->str, "phase1", FALSE, NULL, error)) { g_string_free (phase1, TRUE); diff --git a/src/supplicant/nm-supplicant-settings-verify.c b/src/supplicant/nm-supplicant-settings-verify.c index 9e22080857..ce3e46d8dc 100644 --- a/src/supplicant/nm-supplicant-settings-verify.c +++ b/src/supplicant/nm-supplicant-settings-verify.c @@ -81,7 +81,10 @@ const char * phase1_allowed[] = {"peapver=0", "peapver=1", "peaplabel=1", "peap_outer_success=0", "include_tls_length=1", "sim_min_num_chal=3", "fast_provisioning=0", "fast_provisioning=1", "fast_provisioning=2", - "fast_provisioning=3", NULL }; + "fast_provisioning=3", "tls_disable_tlsv1_0=0", + "tls_disable_tlsv1_0=1", "tls_disable_tlsv1_1=0", + "tls_disable_tlsv1_1=1", "tls_disable_tlsv1_2=0", + "tls_disable_tlsv1_2=1", NULL }; const char * phase2_allowed[] = {"auth=PAP", "auth=CHAP", "auth=MSCHAP", "auth=MSCHAPV2", "auth=GTC", "auth=OTP", "auth=MD5", "auth=TLS", "autheap=MD5", |