Question(s) regarding the internal TLS/crypto code in wpa_supplicant 0.5.6+

Jouni Malinen jkmaline at cc.hut.fi
Mon Jan 1 19:55:18 EST 2007


On Mon, Jan 01, 2007 at 03:06:01PM +0200, Bar, Eitan wrote:

> -	How ???experimental??? is the internal TLS/crypto code? 

Well, for starters, it does not have years of testing that OpenSSL has
and the current number of users for the new code is quite close to zero
(though, not necessarily zero anymore ;-). As far as functionality is
concerned, I consider the code to be mostly feature complete, but it
does not include all the required validation steps for certificates.

> -	Does anyone have any data regarding it???s functionality with different radius services etc (like ???eap_testing.txt???)?

I've run the new code against many of the servers listed in
eap_testing.txt (maybe bit over half of them) and there are no known
interoperability issues in the main TLS protocol implementation. As far
as interoperability is concerned, the ASN.1/X.509 parsing code has not
yet been tested with very large set of certificates, so there may be
some issues that would prevent validation of a CA certificate. I've run
some tests with commonly used CA chains (e.g., set of trusted CAs from
Firefox) and resolved the issues found in these, but still, this is far
from complete testing.


In other words, I would expect the code to work in most cases, but there
are likely to be some corner cases that are not yet covered. In
addition, one should keep in mind that the implementation is very new
and this is not exactly the best thing for security related software.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list