I noticed that for WPA3 there is currently no possibility to enable GCMP in luci. It is possible to enable it if you edit the /etc/config/wireless directly but then only GCMP, not allow e.g. CCMP and GCMP together. Enabling GCMP is also undocumented, as far as I can see. So in order to enable any combination of ciphers in Luci I created two PRs ( https://github.com/openwrt/luci/pull/8079 and https://github.com/openwrt/netifd/pull/60) , i,e, TKIP, CCMP, CCMP245, GCMP, and GCMP-256 in hostapd. It also updates the defaults.If no ciphers are selected then the update defaults to TKIP and CCMP for psk/wpa, TKIP, CCMP and CCMP-256 for psk2/wpa2, and CCMP CCMP-256 GCMP GCMP-256 for psk3/wpa3/sae. (Note I highly recommend removing TKIP by overruling the ciphers.)
I am posting here to request testing and reviewing of the PRs as I think improved security and performance is important.
Let me know if there are any issues.
Best Regards, Ramon
P.S. you can test this PR without compiling by copying the two files to the right directories: /www/luci-static/resources/view/network/ and /lib/netifd/
So this is the documentation https://openwrt.org/docs/guide-user/network/wifi/basic you can see there is there at the time of writing that two ciphers supported (im ignoring WEP on purpose). TKIP and CCMP. While WPA 3 does support better.. See e.g. https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-15/config-guide/ewc_cg_17_15/m_wpa3_security_enhancements.pdf for some information. Regardless the documentation you can check in /var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf what ciphers are passed to hostapd. This can also be tested with running on another host, not on the AP: iw dev phy1-ap2 scan You can also check iwinfo on the AP itself, but be aware that it can only report 2 ciphers, so if multiple are enabled the last few are not reported. On a windows laptop you can run netsh wlan show interface . In my case the hostapd config file only had CCMP for WPA3-SAE. This is confirmed by the other methods. After the changed files, my laptop connects on GCMP-256.
Ok that sounds like an improvement. Thank you. But can you test out the PRs as well? Without testers it likely won’t be merged. Not the end of the world for me (little bit cumbersome to keep updating those files manually each release), but other people won’t benefit from the security and performance gain of GCMP…
Sorry, I don't know enough about all these wireless cipher technologies and how they are supposed to combine. Also my router is running an outdated version of OpenWrt (basically about 2019 version), so I'm not sure whether your patch is even compatible.
Provided that the patch is compatible, I can test it, but I will need specific instructions on how to test. Otherwise, if you want to get testing help from other people, IMO you should provide specific testing instructions anyway.
To be honest, no clue if it is compatible with an old version, so probably best not to mess around with it. Testing would be pretty much run the commands as given above, check the generated hostapd config file and next to that see if there are any issues. If you have a windows laptop then net wlan show all will also show good info, e.g.:
Profile xxxxxxxxxxxxxx on interface WiFi:
=======================================================================
Applied: All User Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : xxxxxxxxxxxxxx
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "xxxxxxxxxxxxxxx"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA3-Personal
Cipher : GCMP-256
Authentication : WPA3-Personal
Cipher : GCMP
Authentication : WPA3-Personal
Cipher : CCMP
Security key : Present
But anyway, its fine if nobody wants to test, I will just abort the PR and keep the improved performance and security for myself.
I thought that testing would involve using the ciphers your PR enables, and ideally other ciphers as well, to make sure it doesn't break anything. Without that, how do you know that the code works and doesn't introduce new issues? And if such testing is expected then you did not post instructions for it so far.
P.s. I would suggest you to 1. try a little harder and 2. get some patience. This is a small community and finding testers is usually hard. Especially when there are no clear instructions for how to test.
I am not really introducing any new ciphers, they are already present and tested in hostapd. The only thing this PR does is that it configures hostapd to enable using them.
Ok i decided to close the PRs and close the issue as “not planned”, seeing as nobody was willing to merge the PRs. Probably a case of “the maintainers moved onto another project”…
Anyway if people still want to have this upgrade then run this script:
#!/bin/sh
FILE="/lib/netifd/netifd-wireless.sh"
# Create backup only if it does NOT already exist
if [ ! -f "${FILE}.org" ]; then
cp "$FILE" "${FILE}.org"
fi
new_block=$(cat <<'EOF'
auth_type=none
wpa_cipher=""
for item in ${encryption//"+"/" "}; do
case "$item" in
tkip) wpa_cipher="${wpa_cipher}TKIP " ;;
ccmp256) wpa_cipher="${wpa_cipher}CCMP-256 " ;;
ccmp|aes) wpa_cipher="${wpa_cipher}CCMP " ;;
gcmp256) wpa_cipher="${wpa_cipher}GCMP-256 " ;;
gcmp) wpa_cipher="${wpa_cipher}GCMP " ;;
esac
done
if [ "$hwmode" = "ad" ]; then
wpa_cipher="GCMP "
fi
if [ "${wpa_cipher}" = "" ]; then
case "$encryption" in
wpa3-192*) wpa_cipher="GCMP-256 " ;;
sae*|wpa3*) wpa_cipher="CCMP CCMP-256 GCMP GCMP-256 " ;;
psk2*|wpa2*) wpa_cipher="TKIP CCMP CCMP-256 " ;;
psk*|wpa*) wpa_cipher="TKIP CCMP " ;;
owe*) wpa_cipher="CCMP " ;;
esac
fi
# 802.11n requires CCMP for WPA
EOF
)
awk -v new="$new_block" '
BEGIN { in_block = 0 }
/auth_type=none/ {
in_block = 1
print new
next
}
in_block {
if ($0 ~ /802\.11n requires CCMP for WPA/) {
in_block = 0
}
next
}
{ print }
' "$FILE" > "$FILE.tmp" && mv "$FILE.tmp" "$FILE"
This will update the relevant section of the netifd script allowing more ciphers. You can in /etc/config/wireless specify which ciphers exactly should be available (by e.g. setting sae-GCMP-GCMP256) or just edit the defaults in the script above.
If anybody wants to try on their own system, let me know if it works.
Happy holidays
P.S. only tested on 24.10 branch, im guessing 25.12 is also ok, but i did not test.
Not a very satisfying status for sure, but well what can i do, leaving it open for a year is pointless.
Oh I forgot to mention, the luci part is not included, luci will still work if you would like to set 1 cipher and only if it is not wpa3 (somebody thought that for wpa3 there would be no need to force a cipher).
I can make a similar “update script” for the luci part as well if there is interest.
Hi, I insert comment here since been playing with GCMP lately. I couldn’t get the mesh links up between archer c6 v2 eu, archer c6u and re200 with different chips (atheros and mediatek) setting GCMP even if the resulting wpa-supplicant related config files contain the activates settings. The links don’t get passed the “notification” event into “connected” ONLY in the 5GHz, while the 2GHz mode works fine. Maybe not really related to the script in this thread, just to let know and maybe get some feedback from others trying the same.
Note: tried in both 24.10.5 and latest 25.12.0rc-2 at the moment.
Support for GCMP may depend on chipset and firmware of both sides of the connection. So enabling does not guarantee a good connection. It also depends on the version of WPA that is used. I would not try on anything lower than wpa3.
And indeed its not directly related to the neifd-wireless.sh script. The modification to the script just allows enabling it. No guarantee that it actually is going to work. But as mentioned above, on my laptop (with intel card) I do connect with GCMP-256 reliably to a GL-MT6000 over both bands. I do not see any issues with other devices (but most do connect to a wpa2 SSID where i only enabled CCMP and CCMP-256, as i segregated my network into different security zones with varying degrees of security and access)
Thanks for feedback, of course my failed tests were only for mesh links (AP worked for me also) with SAE + GCMP and only in 5GHz (2.4 GHz is fine also). Might be something with the driver, who knows, or with chips as you say (they are all AC not very new but anyway “wave2” and report GCMP supported with “iw list” comand. It would be nice to hear from others if tried this setup.
I decided to test this on my AX3600 AP with ath11k. I use WPA3 SAE and only have 5GHz enabled so it should work. I executed the script that edits netifd-wireless.sh but still cannot see any new encryption options in Luci -> Wireless > Wireless security
These are only options I can see in the Encryption drop-down:
I then tried to force CCMP256 or GCMP256 by setting "option encryption 'sae+ccmp256' or 'sae+gcmp256' but then my device (iphone 13) which should be able to utilize those protocols could not connect anymore.
Am I doing this right to enforce GCMP256 or CCMP256 on my device? Or is my ath11k driver not able to do it?
That is correct, there are two parts to the PR. The netifd-wireless script and the Luci update. The script above only adapts the netifd part. The adaprted netifd script does two things, it allows selecting the cipher, but also enables CCMP, CCMP-256, GCMP and GCMP-256 by default. So typically if the client supports GCMP it probably will use it. So what I would do is 1st check which ciphers are now available and 2nd check how your clients now connect. (see posts above)
