is CRL " certificate revocation list" checked by hostapd or openssl in eap-tls?

Jouni Malinen jkmaline at cc.hut.fi
Sat May 21 23:59:03 EDT 2005


On Thu, May 19, 2005 at 09:50:30AM +0200, thomas schorpp wrote:

> # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
> ca_cert=/etc/hostapd/wpaca/ca/CAcert.pem
> 
> # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
> server_cert=/etc/hostapd/wpaca/certs/tom3-cert.pem
> 
> no entry for the crl.

The current CVS snapshot has a new configuration variable, check_crl.
This can be used to enable CRL verification. However, the implementation
is still quite minimal and the CRL data needs to be added into the
ca_cert file with something external (e.g., 'wget crlurl' and 'cat
ca.pem crl.pem > cafile.pem). In addition, hostapd needs to be restarted
when CRL is changed.

> i would like to implement this then, to deauthenticate users just simply
> by revoking their certs ;)

Deauthenticating users automatically based on certificate revocation
would require storing certificate information for each associated client
and going through this data whenever the CRL is updated. If rejecting
the next authentication is enough, the current hostapd snapshot should
be able to do this. However, it would be nice to add support for
automatically downloading (at least HTTP and LDAP) and updating CRL
based on CDP from the user certificates.. At least, making it easier to
update CRL without having to restart hostapd would be a good start.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list