I noticed that for WPA3 there is currently no possibility to enable GCMP in luci. It is possible to enable it if you edit the /etc/config/wireless directly but then only GCMP, not allow e.g. CCMP and GCMP together. Enabling GCMP is also undocumented, as far as I can see. So in order to enable any combination of ciphers in Luci I created two PRs ( https://github.com/openwrt/luci/pull/8079 and https://github.com/openwrt/netifd/pull/60) , i,e, TKIP, CCMP, CCMP245, GCMP, and GCMP-256 in hostapd. It also updates the defaults.If no ciphers are selected then the update defaults to TKIP and CCMP for psk/wpa, TKIP, CCMP and CCMP-256 for psk2/wpa2, and CCMP CCMP-256 GCMP GCMP-256 for psk3/wpa3/sae. (Note I highly recommend removing TKIP by overruling the ciphers.)
I am posting here to request testing and reviewing of the PRs as I think improved security and performance is important.
Let me know if there are any issues.
Best Regards, Ramon
P.S. you can test this PR without compiling by copying the two files to the right directories: /www/luci-static/resources/view/network/ and /lib/netifd/
So this is the documentation https://openwrt.org/docs/guide-user/network/wifi/basic you can see there is there at the time of writing that two ciphers supported (im ignoring WEP on purpose). TKIP and CCMP. While WPA 3 does support better.. See e.g. https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-15/config-guide/ewc_cg_17_15/m_wpa3_security_enhancements.pdf for some information. Regardless the documentation you can check in /var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf what ciphers are passed to hostapd. This can also be tested with running on another host, not on the AP: iw dev phy1-ap2 scan You can also check iwinfo on the AP itself, but be aware that it can only report 2 ciphers, so if multiple are enabled the last few are not reported. On a windows laptop you can run netsh wlan show interface . In my case the hostapd config file only had CCMP for WPA3-SAE. This is confirmed by the other methods. After the changed files, my laptop connects on GCMP-256.
Ok that sounds like an improvement. Thank you. But can you test out the PRs as well? Without testers it likely won’t be merged. Not the end of the world for me (little bit cumbersome to keep updating those files manually each release), but other people won’t benefit from the security and performance gain of GCMP…
Sorry, I don't know enough about all these wireless cipher technologies and how they are supposed to combine. Also my router is running an outdated version of OpenWrt (basically about 2019 version), so I'm not sure whether your patch is even compatible.
Provided that the patch is compatible, I can test it, but I will need specific instructions on how to test. Otherwise, if you want to get testing help from other people, IMO you should provide specific testing instructions anyway.
To be honest, no clue if it is compatible with an old version, so probably best not to mess around with it. Testing would be pretty much run the commands as given above, check the generated hostapd config file and next to that see if there are any issues. If you have a windows laptop then net wlan show all will also show good info, e.g.:
Profile xxxxxxxxxxxxxx on interface WiFi:
=======================================================================
Applied: All User Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : xxxxxxxxxxxxxx
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled
Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "xxxxxxxxxxxxxxx"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present
Security settings
-----------------
Authentication : WPA3-Personal
Cipher : GCMP-256
Authentication : WPA3-Personal
Cipher : GCMP
Authentication : WPA3-Personal
Cipher : CCMP
Security key : Present
But anyway, its fine if nobody wants to test, I will just abort the PR and keep the improved performance and security for myself.
I thought that testing would involve using the ciphers your PR enables, and ideally other ciphers as well, to make sure it doesn't break anything. Without that, how do you know that the code works and doesn't introduce new issues? And if such testing is expected then you did not post instructions for it so far.
P.s. I would suggest you to 1. try a little harder and 2. get some patience. This is a small community and finding testers is usually hard. Especially when there are no clear instructions for how to test.
I am not really introducing any new ciphers, they are already present and tested in hostapd. The only thing this PR does is that it configures hostapd to enable using them.