Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Re: Session Ticket in OpenSSL 0.9.9 and EAP-FAST

2 views

Skip to first unread message

Mike McCauley

unread,

Aug 29, 2007, 3:38:48 AM8/29/07

Hello dev team.

Jouni Malinen recently posted here with a patch that adds support for various
features required in OpenSSL to support new authentication protocols like
EAP-FAST and others.

I want to confirm that his patch applies cleanly to openssl-SNAP-20070816 and
works as intended.

I want to encourage the dev team to apply his patch to the mainline. Without
this code (or something like it) it is not possible to support EAP-FAST and
other similar modern authentication protocols that need to fiddle with the
master key during TLS handshake.

Just in case its hard to get the patch from his post, it is also here for easy
download:

http://www.open.com.au/radiator/free-downloads/openssl-0.9.9-session-ticket.patch

Please consider this patch. If the dev team needs anything else before rolling
it in, please let me or Jouni know. I know l will be happy to assist.

Cheers.

--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

Mike McCauley

unread,

Sep 3, 2007, 8:51:50 PM9/3/07

Hello again dev team,

Further to this, I have tested Jouni's patches against 0.9.8d, 0.9.8e and
openssl-SNAP-20070816 on Linux, Solaris and Windows and they work fine.

Can we have some discussion about including these patches in the mainline
please? They add badly needed features to support EAP-FAST and other modern
authentication protocols. In particular they add SSL_set_hello_extension and
SSL_set_session_secret_cb, and adjust exactly when the TLS server_random is
set (required to change the master key during EAP-FAST handshake). None of
the existing feature set is removed or broken by these patches

What else do you need before rolling these patches in?

http://www.open.com.au/radiator/free-downloads/openssl-0.9.9-session-ticket.patch

Cheers.

0 new messages