Hi, In order to support EAP-FAST connection, some cipher suites which authentication is anonymous has to be supported. But, I’m not able to find these cipher suites in mbedtls library. Is that way to set the cipher suites?
The required cipher suites are like the following:
Hi Jang,
Thank you for your query.
Yes, Mbed TLS does not support the DH anonymous ciphersuites, THese ciphersuites have potential for Man in the middle attacks.
As described in the EAP-FAST draft:
It is RECOMMENDED that anonymous ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA only be used in the context of the provisioning described in [I-D.cam-winget-eap-fast-provisioning]. Care must be taken to address potential man-in-the-middle attacks when cipher suites that do not provide authenticated tunnel establishment are used.
From this quote I understand that these anonymous ciphersuites are not
mandatory to support EAP-FAST. Note that these ciphersuites were removed for TLS 1.3 as well.
