Issue metadata
Sign in to add a comment
|
wpa_supplicant / 802.1x: Disable TLSv1.1 and TLSv1.2 for M51 |
||||||||||||||||||||||
Issue descriptionIn bug 599595 , a customer reported a possible interop problem involving 802.1x. This appears to be triggered by the wpa_supplicant update from v2.3->v2.5, which causes TLSv1.1 and TLSv1.2 to be enabled by default. We do want to enable TLSv1.2 by default at some point, but it is important to give enterprise users a way to "opt-out" of the transition in case their current infrastructure is not compatible. So for M51 we will disable TLSv1.1/TLSv1.2 (same as M50), but for M52 or a future release we will enable it by default and add a policy allowing it to be disabled.
,
Apr 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/ed81fec79bb945a813c3ee2c5a85c9651bb3e16c commit ed81fec79bb945a813c3ee2c5a85c9651bb3e16c Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Apr 21 00:09:55 2016 Temporarily disable TLSv1.1 and TLSv1.2 They are enabled by default in the latest wpa_supplicant builds, but we aren't quite ready to roll them out yet. Before we can enable them by default, we'll add options to CPanel to allow enterprise customers to disable the new protocols in case there are interop problems with buggy RADIUS servers. BUG= chromium:605310 TEST=configure freeradius server to use TLSv1.2 and observe that the client only negotiates TLSv1.0. Tested with EAP-TLS and EAP-TTLS. Change-Id: Ic579f79b7662f087a6f75df1f1e606f5449729dd Reviewed-on: https://chromium-review.googlesource.com/340034 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Sameer Nanda <snanda@chromium.org> Reviewed-by: Paul Stewart <pstew@chromium.org> Reviewed-by: Grant Grundler <grundler@chromium.org> [modify] https://crrev.com/ed81fec79bb945a813c3ee2c5a85c9651bb3e16c/src/eap_peer/eap_tls_common.c
,
Apr 23 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/9347c28c9d04128c268fff475d4554123bcf219f commit 9347c28c9d04128c268fff475d4554123bcf219f Author: Kevin Cernekee <cernekee@chromium.org> Date: Thu Apr 21 00:09:55 2016 Temporarily disable TLSv1.1 and TLSv1.2 They are enabled by default in the latest wpa_supplicant builds, but we aren't quite ready to roll them out yet. Before we can enable them by default, we'll add options to CPanel to allow enterprise customers to disable the new protocols in case there are interop problems with buggy RADIUS servers. BUG= chromium:605310 TEST=configure freeradius server to use TLSv1.2 and observe that the client only negotiates TLSv1.0. Tested with EAP-TLS and EAP-TTLS. Change-Id: Ic579f79b7662f087a6f75df1f1e606f5449729dd Previous-Reviewed-on: https://chromium-review.googlesource.com/340034 (cherry picked from commit 55639532c506a1f800c57ac34643a7160f022841) Reviewed-on: https://chromium-review.googlesource.com/340245 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> Commit-Queue: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/9347c28c9d04128c268fff475d4554123bcf219f/src/eap_peer/eap_tls_common.c
,
Apr 29 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 29 2016
,
May 10 2016
,
Sep 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/hostap/+/3592c99a6739af893309eca65cbfe6b9b6331531 commit 3592c99a6739af893309eca65cbfe6b9b6331531 Author: Kevin Cernekee <cernekee@chromium.org> Date: Wed Sep 20 22:35:20 2017 Temporarily disable TLSv1.1 and TLSv1.2 They are enabled by default in the latest wpa_supplicant builds, but we aren't quite ready to roll them out yet. Before we can enable them by default, we'll add options to CPanel to allow enterprise customers to disable the new protocols in case there are interop problems with buggy RADIUS servers. BUG= chromium:605310 TEST=configure freeradius server to use TLSv1.2 and observe that the client only negotiates TLSv1.0. Tested with EAP-TLS and EAP-TTLS. Change-Id: Ibe35008ac3037759b3a1198cf88a9d08016b59f0 Original-Reviewed-on: https://chromium-review.googlesource.com/340034 Original-Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Original-Tested-by: Kevin Cernekee <cernekee@chromium.org> Original-Reviewed-by: Sameer Nanda <snanda@chromium.org> Original-Reviewed-by: Paul Stewart <pstew@chromium.org> Original-Reviewed-by: Grant Grundler <grundler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/669526 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> Tested-by: Eric Caruso <ejcaruso@chromium.org> [modify] https://crrev.com/3592c99a6739af893309eca65cbfe6b9b6331531/src/eap_peer/eap_tls_common.c |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by cernekee@chromium.org
, Apr 21 2016Labels: Merge-Request-51
Status: Fixed (was: Started)