New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 765788 link

Starred by 12 users
Status: Assigned
Owner:
cernekee@chromium.org
Last visit > 30 days ago
Cc:
davidben@chromium.org
aashuto...@chromium.org
vkhabarov@google.com
dsunk...@chromium.org
jayhlee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

ChromeOS feature request: Support TLS 1.1/1.2 for WPA Enterprise WiFi

Project Member Reported by vkhabarov@chromium.org, Sep 15 2017 
Summary:
Right now (v60) ChromeOS uses only TLS v1.0 when authenticating in PEAP/EAP-TTLS (possibly others, didn't check) WPA-Enterprise networks, clients want us to support TLS 1.2

Use case / Motivation:
Increase security, prepare for possible TLS 1.0 deprecation, better support

Existing workarounds:
Allow TLS 1.0 on auth side

Case#: 13615592

Comment 1 by vkhabarov@chromium.org, Sep 15 2017

Cc: vkhabarov@google.com

Comment 2 by ga_gra...@granitesd.org, Oct 23 2017 

Are there any resolutions to this issue? Is it just an issue with version 60 and below or an issue since version 60? We have 50,000+ Chromebooks trying to utilize TLS 1.2 for authentication. How can we escalate this to be addressed?

Comment 3 by vkhabarov@chromium.org, Oct 27 2017

Owner: jayhlee@chromium.org
Hi Jay!
Could you help triage this FR?
Thanks!

Comment 4 by jayhlee@google.com, Oct 31 2017

Cc: davidben@chromium.org
I find it hard to believe that we're not able to use TLS 1.2 here. I don't believe the WiFi stack is using BoringSSL yet, should still be on OpenSSL but OpenSSL has supported TLS 1.2 for ages afaik.

Victor: please gather logs showing TLS 1.0 is in use and not 1.2.

+David: penny for your thoughts?

Comment 6 by vkhabarov@chromium.org, Oct 31 2017 

Screenshot with the packet, which sets TLS 1.0 as the only option - 
https://drive.google.com/a/google.com/file/d/0B7RXwPjBEiJ3SnBzZ1JqVFJfTVk/view?usp=sharing

Comment 7 by davidben@chromium.org, Oct 31 2017 

This is all deep in wpa_supplicant, so nothing I'd know anything about. At a glance through the source, wpa_supplicant seems to do TLS 1.2 with EAP-TTLS fine. You want the CrOS folks.

Comment 8 by davidben@chromium.org, Oct 31 2017

Cc: cernekee@chromium.org
rsleevi points out this is probably due to  issue #605310  and  issue #599595 . :-/

Comment 9 by vkhabarov@chromium.org, Oct 31 2017 

Are we still waiting on Enterprises to fix their issues or could this be enabled back now?

Comment 10 by cernekee@chromium.org, Oct 31 2017 

Unfortunately I don't have a good way to tell which enterprises will have interop problems if we flip the switch globally.  So adding the policy is a way for them to safely back out the change.

Comment 11 by davidben@chromium.org, Oct 31 2017

Cc: -cernekee@chromium.org
Owner: cernekee@chromium.org
Status: Assigned (was: Untriaged)
I guess this should be assigned to you then, to mirror issue #605728.

Comment 12 by tjlab...@gmail.com, Nov 1 2017 

David: I tried doing EAP-TTLS as you noted in comment#7, but it also fails when our RADIUS auth server has TLS 1.0 disabled, and succeeds when TLS 1.0 is enabled (logs also show it doesn't change from TLS 1.0 to a higher version). Would EAP-TTLS operate differently from PEAP with the TLS version used for 802.1x authentication, or would it be the same root issue as PEAP (issue #605728)?

Comment 13 by davidben@chromium.org, Nov 2 2017 

I think CrOS's wpa_supplicant might just disable TLS 1.1 and 1.2 across the board right now, I'm afraid. :-(

Hopefully cernekee@ will get to fixing that soon.

Comment 14 by harpreet@chromium.org, Nov 7 2017

Cc: aashuto...@chromium.org dsunk...@chromium.org

Comment 15 by ga_coo...@granitesd.org, Jan 19 2018 

Any update?
It's been over 2 months since the last activity.

Comment 16 by marchuk@chromium.org, May 8 2018 

Looks like we still didn't implement it and more customers are asking for updates.

Sign in to add a comment