nixos/hostapd: remove CCMP-256 from recommended ciphers

NixOS · Dec 22, 2024 · e6c96ae · e6c96ae
1 parent e130769
commit e6c96ae
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix
@@ -707,7 +707,7 @@ in {
 
                     pairwiseCiphers = mkOption {
                       default = ["CCMP"];
-                      example = ["CCMP-256" "GCMP-256"];
+                      example = ["GCMP" "GCMP-256"];
                       type = types.listOf types.str;
                       description = ''
                         Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
@@ -716,7 +716,8 @@ in {
 
                         Please refer to the hostapd documentation for allowed values. Generally, only
                         CCMP or GCMP modes should be considered safe options. Most devices support CCMP while
-                        GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
+                        GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
+                        CCMP-256 support is rare.
                       '';
                     };
 
@@ -903,7 +904,7 @@ in {
                   bssCfg = bssSubmod.config;
                   pairwiseCiphers =
                     concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers
-                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"]));
+                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"]));
                 in {
                   settings = {
                     ssid = bssCfg.ssid;