From e6c96aee8ca36ba8d4ee42f4d30f718633568120 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 22 Dec 2024 22:12:14 +0100 Subject: [PATCH] nixos/hostapd: remove CCMP-256 from recommended ciphers --- nixos/modules/services/networking/hostapd.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 091479a7e00bfd..8635dea738ce2b 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -707,7 +707,7 @@ in { pairwiseCiphers = mkOption { default = ["CCMP"]; - example = ["CCMP-256" "GCMP-256"]; + example = ["GCMP" "GCMP-256"]; type = types.listOf types.str; description = '' Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets). @@ -716,7 +716,8 @@ in { Please refer to the hostapd documentation for allowed values. Generally, only CCMP or GCMP modes should be considered safe options. Most devices support CCMP while - GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher. + GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher. + CCMP-256 support is rare. ''; }; @@ -903,7 +904,7 @@ in { bssCfg = bssSubmod.config; pairwiseCiphers = concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers - ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"])); + ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"])); in { settings = { ssid = bssCfg.ssid;