Re: Phase 2 in EAP-TLS
- From: Janboe Ye <janboe ye gmail com>
- To: Dan Williams <dcbw redhat com>, networkmanager-list gnome org
- Subject: Re: Phase 2 in EAP-TLS
- Date: Sun, 22 Apr 2012 01:53:27 +0800
hi, Dan
Could you help to explain that how network manager know which phase2 method
is used?
Thanks
Janboe Ye
Dan Williams wrote:
> On Fri, 2012-01-06 at 10:39 +0800, Gary Ching-Pang Lin wrote:
>> 2012/1/6 Dan Williams <dcbw redhat com>:
>> > On Thu, 2011-12-29 at 11:27 +0800, Gary Ching-Pang Lin wrote:
>> >> Hi all,
>> >>
>> >> I read the source code of network-manager-applet recently and
>> >> have some questions about the eap-method-tls.c.
>> >>
>> >> In eap-method-tls.c, there are several checks for the variable
>> >> "phase2" which isn't used in ttls or peap, and the variable is
>> >> initialized in eap_method_tls_new() and is never changed afterward.
>> >> However, I found that eap_method_tls_new() is called only in
>> >> wireless-security.c, and "phase2" is set to FALSE explicitly.
>> >> In other words, the phase2 functions in eap-method-tls.c were
>> >> never used.
>> >>
>> >> Here are my questions.
>> >> 1) Why "phase2" is declared but never used? For any further plan
>> >> or just a legacy of some old code?
>> >
>> > It's actually used. The EAPMethod things are lightweight objects but
>> > don't use GObject, just plain C structures. So what's going on there
>> > is that phase2 gets passed into eap_method_tls_new() and then that is
>> > passed to the call to eap_method_init(). The object returned from that
>> > call is actually the EAPMethodTLS, or "self". Anywhere in that file
>> > you see EAPMethod/parent that means the EAPMethodTLS->parent, so the
>> > phase2 passed in here actually shows up as parent->phase2 throughout
>> > the file.
>> >
>> Thanks for the explanation. What's confusing me is that
>> eap_method_tls_new() only appears in wireless-security.c besides
>> eap-method-tls.*:
>>
>> em_tls = eap_method_tls_new (sec, connection, FALSE, secrets_only);
>>
>> The statement assigns FALSE to phase2 explicitly. So even there are
>> checks for phase2 in eap-method-tls.c, the variable is always FALSE, and
>> the phase2 checks become kind of meaningless.
>
> It looks like TLS phase2 was coded for but never actually
> enabled/finished because at the time I think there may have been
> questions about whether it was really a valid configuration. But I
> think the phase2 support will never get called, as you suggest. We
> could enable it though, I'd be happy to take patches to do so since I've
> had a few questions about it.
>
> Dan
>
>> > It could be clearer if these were actually GObjects I suppose, since
>> > that's a standard understandable mechanism, instead of the
>> > pseudo-object stuff that I wrote here long ago.
>> >
>> >> 2) In what condition EAP-TLS will be used as "Phase 2"?
>> >> I googled related documents but only found the Phase 2 auth
>> >> methods for PEAP and TTLS.
>> >
>> > TTLS-TLS is a valid method: TTLS for the outer tunnel, and TLS for the
>> > inner tunnel. I've also heard that PEAP-TLS is used though that's a
>> > pretty pointless setup. Basically, TLS is a valid inner tunnel (ie,
>> > "phase2" method).
>> >
>> Ah, then that makes sense, though TTLS-TLS/PEAP-TLS seems too
>> complicated for a normal user :-p
>>
>> Gary Lin
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
