supplicant: allows disabling select TLS versions on phase 1 authentication

Some AAA servers have issues interoperating with select TLS versions, which wpa_supplicant negotiates by default. This commit allows disabling troubling versions of TLS so that connecting to broken authentication servers could be possible.
2025-12-25 08:20:08 +01:00 · 2017-02-08 22:04:26 +07:00 · 2017-02-08 22:04:26 +07:00 · 8ce60a302a
commit 8ce60a302a
parent e3a9f1b32a
2 changed files with 20 additions and 1 deletions
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@ -896,6 +896,7 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 	const char *ca_path_override = NULL, *ca_cert_override = NULL;
 	guint32 frag, hdrs;
 	gs_free char *frag_str = NULL;
+	NMSetting8021xAuthFlags phase1_auth_flags;

 	g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE);
 	g_return_val_if_fail (setting != NULL, FALSE);
@ -982,6 +983,21 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 			fast_provisoning_allowed = TRUE;
 	}

+	phase1_auth_flags = nm_setting_802_1x_get_phase1_auth_flags (setting);
+	if (phase1_auth_flags != NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_DEFAULT) {
+		if (phase1->len)
+			g_string_append_c (phase1, ' ');
+		g_string_append_printf (phase1, "tls_disable_tlsv1_0=%d",
+		                        (NM_FLAGS_HAS (phase1_auth_flags,
+		                                       NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_0)) ? 1 : 0);
+		g_string_append_printf (phase1, " tls_disable_tlsv1_1=%d",
+		                        (NM_FLAGS_HAS (phase1_auth_flags,
+		                                       NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_1)) ? 1 : 0);
+		g_string_append_printf (phase1, " tls_disable_tlsv1_2=%d",
+		                        (NM_FLAGS_HAS (phase1_auth_flags,
+		                                       NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_1_2)) ? 1 : 0);
+	}
+
 	if (phase1->len) {
 		if (!add_string_val (self, phase1->str, "phase1", FALSE, NULL, error)) {
 			g_string_free (phase1, TRUE);
--- a/src/supplicant/nm-supplicant-settings-verify.c
+++ b/src/supplicant/nm-supplicant-settings-verify.c
@ -81,7 +81,10 @@ const char * phase1_allowed[] =   {"peapver=0", "peapver=1", "peaplabel=1",
                                    "peap_outer_success=0", "include_tls_length=1",
                                    "sim_min_num_chal=3", "fast_provisioning=0",
                                    "fast_provisioning=1", "fast_provisioning=2",
-                                    "fast_provisioning=3", NULL };
+                                    "fast_provisioning=3", "tls_disable_tlsv1_0=0",
+                                    "tls_disable_tlsv1_0=1", "tls_disable_tlsv1_1=0",
+                                    "tls_disable_tlsv1_1=1", "tls_disable_tlsv1_2=0",
+                                    "tls_disable_tlsv1_2=1", NULL };
 const char * phase2_allowed[] =   {"auth=PAP", "auth=CHAP", "auth=MSCHAP",
                                   "auth=MSCHAPV2", "auth=GTC", "auth=OTP",
                                   "auth=MD5", "auth=TLS", "autheap=MD5",