Index: debian/patches/series
===================================================================
--- debian/patches/series	(revision 1790)
+++ debian/patches/series	(working copy)
@@ -5,5 +5,6 @@
 11_wpa_gui_ftbfs_gcc_4_7.patch
 12_wpa_gui_knotify_support.patch
 13_human_readable_signal.patch
+14_RFC4507_ticket_workaround.patch
 libnl3-includes.patch
 EAP-TLS-server_fix-TLS-Message-length-validation.patch
Index: debian/patches/14_RFC4507_ticket_workaround.patch
===================================================================
--- debian/patches/14_RFC4507_ticket_workaround.patch	(revision 0)
+++ debian/patches/14_RFC4507_ticket_workaround.patch	(revision 0)
@@ -0,0 +1,275 @@
+Description: Disable RFC4507 session ticket extension in every second
+ connection attempt
+ See also:
+ http://w1.fi/bugz/show_bug.cgi?id=447
+Author: Balint Reczey <balint@balintreczey.hu>
+Bug-Debian: http://bugs.debian.org/561081
+---
+Index: a/src/crypto/tls_nss.c
+===================================================================
+--- a/src/crypto/tls_nss.c	(revision 1790)
++++ a/src/crypto/tls_nss.c	(working copy)
+@@ -596,7 +596,8 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *tls_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+ 	return -1;
+ }
+Index: a/src/crypto/tls_internal.c
+===================================================================
+--- a/src/crypto/tls_internal.c	(revision 1790)
++++ a/src/crypto/tls_internal.c	(working copy)
+@@ -544,7 +544,8 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *tls_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+ 	return -1;
+ }
+Index: a/src/crypto/tls_gnutls.c
+===================================================================
+--- a/src/crypto/tls_gnutls.c	(revision 1790)
++++ a/src/crypto/tls_gnutls.c	(working copy)
+@@ -1136,7 +1136,8 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *ssl_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+ 	gnutls_record_disable_padding(conn->session);
+ 	return 0;
+Index: a/src/crypto/tls.h
+===================================================================
+--- a/src/crypto/tls.h	(revision 1790)
++++ b/src/crypto/tls.h	(working copy)
+@@ -15,6 +15,7 @@
+ #ifndef TLS_H
+ #define TLS_H
+ 
++struct eap_peer_config;
+ struct tls_connection;
+ 
+ struct tls_keys {
+@@ -437,13 +438,15 @@
+  * tls_connection_enable_workaround - Enable TLS workaround options
+  * @tls_ctx: TLS context data from tls_init()
+  * @conn: Connection context data from tls_connection_init()
++ * @config: Configuration corresponding to the connection
+  * Returns: 0 on success, -1 on failure
+  *
+  * This function is used to enable connection-specific workaround options for
+  * buffer SSL/TLS implementations.
+  */
+ int __must_check tls_connection_enable_workaround(void *tls_ctx,
+-						  struct tls_connection *conn);
++						  struct tls_connection *conn,
++						  struct eap_peer_config *config);
+ 
+ /**
+  * tls_connection_client_hello_ext - Set TLS extension for ClientHello
+Index: a/src/crypto/tls_none.c
+===================================================================
+--- a/src/crypto/tls_none.c	(revision 1790)
++++ a/src/crypto/tls_none.c	(working copy)
+@@ -154,7 +154,8 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *tls_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+ 	return -1;
+ }
+Index: a/src/crypto/tls_schannel.c
+===================================================================
+--- a/src/crypto/tls_schannel.c	(revision 1790)
++++ a/src/crypto/tls_schannel.c	(working copy)
+@@ -649,7 +649,8 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *ssl_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+ 	return 0;
+ }
+Index: a/src/crypto/tls_openssl.c
+===================================================================
+--- b/src/crypto/tls_openssl.c	(revision 1790)
++++ b/src/crypto/tls_openssl.c	(working copy)
+@@ -36,6 +36,7 @@
+ #include "common.h"
+ #include "crypto.h"
+ #include "tls.h"
++#include "eap_peer/eap_config.h"
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+ #define OPENSSL_d2i_TYPE const unsigned char **
+@@ -2618,10 +2619,17 @@
+ 
+ 
+ int tls_connection_enable_workaround(void *ssl_ctx,
+-				     struct tls_connection *conn)
++				     struct tls_connection *conn,
++				     struct eap_peer_config *config)
+ {
+-	SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++	if (config->flags & EAP_CONFIG_FLAGS_DONT_INSERT_EMPTY_FRAGMENTS) {
++		SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++	}
+ 
++	if (config->flags | EAP_CONFIG_FLAGS_NO_TICKET_EXT) {
++		SSL_set_options(conn->ssl, SSL_OP_NO_TICKET);
++	}
++
+ 	return 0;
+ }
+ 
+Index: a/src/eap_peer/eap_config.h
+===================================================================
+--- a/src/eap_peer/eap_config.h	(revision 1790)
++++ a/src/eap_peer/eap_config.h	(working copy)
+@@ -625,6 +625,8 @@
+ 	int fragment_size;
+ 
+ #define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0)
++#define EAP_CONFIG_FLAGS_NO_TICKET_EXT   BIT(1)
++#define EAP_CONFIG_FLAGS_DONT_INSERT_EMPTY_FRAGMENTS BIT(2)
+ 	/**
+ 	 * flags - Network configuration flags (bitfield)
+ 	 *
+@@ -632,6 +634,8 @@
+ 	 * for the network parameters.
+ 	 * bit 0 = password is represented as a 16-byte NtPasswordHash value
+ 	 *         instead of plaintext password
++	 * bit 1 = don't use RFC4507 ticket extension 
++	 * bit 2 = disable workaround for CBC which uses empty fragments
+ 	 */
+ 	u32 flags;
+ };
+Index: a/src/eap_peer/eap_peap.c
+===================================================================
+--- a/src/eap_peer/eap_peap.c	(revision 1790)
++++ b/src/eap_peer/eap_peap.c	(working copy)
+@@ -171,6 +171,23 @@
+ 		return NULL;
+ 	}
+ 
++	/* 
++	 * http://w1.fi/bugz/show_bug.cgi?id=447
++	 * Every second init attempt is performed with RFC4507 session ticket
++	 * extension tuned off to work around buggy servers, but to not break
++	 * connection to correct ones
++	 * TODO make this configurable?
++	 */
++	if (config->flags & EAP_CONFIG_FLAGS_NO_TICKET_EXT) {
++		if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn, config)) {
++        	        wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to enable TLS "
++                	           "workarounds");
++        	}
++		config->flags &= ~EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	} else {
++		config->flags |= EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	}
++
+ 	return data;
+ }
+ 
+Index: a/src/eap_peer/eap_ttls.c
+===================================================================
+--- a/src/eap_peer/eap_ttls.c	(revision 1790)
++++ a/src/eap_peer/eap_ttls.c	(working copy)
+@@ -122,6 +122,23 @@
+ 		return NULL;
+ 	}
+ 
++	/* 
++	 * http://w1.fi/bugz/show_bug.cgi?id=447
++	 * Every second init attempt is performed with RFC4507 session ticket
++	 * extension tuned off to work around buggy servers, but to not break
++	 * connection to correct ones
++	 * TODO make this configurable?
++	 */
++	if (config->flags & EAP_CONFIG_FLAGS_NO_TICKET_EXT) {
++		if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn, config)) {
++        	        wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to enable TLS "
++                	           "workarounds");
++        	}
++		config->flags &= ~EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	} else {
++		config->flags |= EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	}
++
+ 	return data;
+ }
+ 
+Index: a/src/eap_peer/eap_fast.c
+===================================================================
+--- a/src/eap_peer/eap_fast.c	(revision 1790)
++++ b/src/eap_peer/eap_fast.c	(working copy)
+@@ -195,11 +195,25 @@
+ 	 * fragments before data, so disable that workaround for CBC.
+ 	 * TODO: consider making this configurable
+ 	 */
+-	if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn)) {
++	config->flags |= EAP_CONFIG_FLAGS_DONT_INSERT_EMPTY_FRAGMENTS;
++	if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn, config)) {
+ 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to enable TLS "
+ 			   "workarounds");
+ 	}
+ 
++	/* 
++	 * http://w1.fi/bugz/show_bug.cgi?id=447
++	 * Every second init attempt is performed with RFC4507 session ticket
++	 * extension tuned off to work around buggy servers, but to not break
++	 * connection to correct ones
++	 * TODO make this configurable?
++	 */
++	if (config->flags & EAP_CONFIG_FLAGS_NO_TICKET_EXT) {
++		config->flags &= ~EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	} else {
++		config->flags |= EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	}
++
+ 	if (data->use_pac_binary_format &&
+ 	    eap_fast_load_pac_bin(sm, &data->pac, config->pac_file) < 0) {
+ 		eap_fast_deinit(sm, data);
+Index: a/src/eap_peer/eap_tls.c
+===================================================================
+--- a/src/eap_peer/eap_tls.c	(revision 1790)
++++ b/src/eap_peer/eap_tls.c	(working copy)
+@@ -64,6 +64,23 @@
+ 		return NULL;
+ 	}
+ 
++	/* 
++	 * http://w1.fi/bugz/show_bug.cgi?id=447
++	 * Every second init attempt is performed with RFC4507 session ticket
++	 * extension tuned off to work around buggy servers, but to not break
++	 * connection to correct ones
++	 * TODO make this configurable?
++	 */
++	if (config->flags & EAP_CONFIG_FLAGS_NO_TICKET_EXT) {
++		if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn, config)) {
++        	        wpa_printf(MSG_DEBUG, "EAP-TLS: Failed to enable TLS "
++                	           "workarounds");
++        	}
++		config->flags &= ~EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	} else {
++		config->flags |= EAP_CONFIG_FLAGS_NO_TICKET_EXT;
++	}
++
+ 	return data;
+ }
+