Unverified Commit 8b193d75 authored by oddlama's avatar oddlama
Browse files

nixos/hostapd: remove CCMP-256 from recommended ciphers

parent e130769d

nixos/doc/manual/release-notes/rl-2505.section.md

+3 −0
Original line number Diff line number Diff line
@@ -134,6 +134,9 @@ 


- `vscode-utils.buildVscodeExtension` now requires pname as an argument



- The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.

  Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.



- `nerdfonts` has been separated into individual font packages under the namespace `nerd-fonts`. The directories for font

  files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to

  `$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the

nixos/modules/services/networking/hostapd.nix

+4 −3
Original line number Diff line number Diff line
@@ -707,7 +707,7 @@ in { 


                    pairwiseCiphers = mkOption {

                      default = ["CCMP"];

                      example = ["CCMP-256" "GCMP-256"];

                      example = ["GCMP" "GCMP-256"];

                      type = types.listOf types.str;

                      description = ''

                        Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
@@ -716,7 +716,8 @@ in { 


                        Please refer to the hostapd documentation for allowed values. Generally, only

                        CCMP or GCMP modes should be considered safe options. Most devices support CCMP while

                        GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.

                        GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.

                        CCMP-256 support is rare.

                      '';

                    };
@@ -903,7 +904,7 @@ in { 
                  bssCfg = bssSubmod.config;

                  pairwiseCiphers =

                    concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers

                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"]));

                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"]));

                in {

                  settings = {

                    ssid = bssCfg.ssid;