Internal TLS/crypto in wpa supplicant
j at w1.fi
Tue Jan 8 09:51:08 EST 2008
On Tue, Jan 08, 2008 at 07:14:10AM -0500, Bryan Kadzban wrote:
> Mahendra Prajapat wrote:
> > TLSv1: Converting PEM format certificate into DER format
> Not exactly sure why this is happening; can you use OpenSSL to convert
> the file before handing it to wpa_supplicant? That may (or may not!)
> work better. (Unless I misunderstand this message.)
This is just indicating base64 decoding, so there would not really be
any difference in processing after this even if the certificate were
configured in DER format.
> > X509: Extension: extnID=22.214.171.124.126.96.36.199.14 critical=255
> That smells like an extendedKeyUsage extension? You shouldn't need that
> extension at all (unless you're trying to use it on an MS box). And
> having it set to critical is *completely* unnecessary, if that's what
> that OID is.
I think that's ProxyCertInfo which is required to be critical. The
problem with that is that the internal X.509 implementation does not
support this extension.
> Third would be to add support for this particular extension OID to
> wpa_supplicant's internal TLS, so it doesn't choke on the fact that it
> doesn't understand it. I don't think changing any behavior is needed;
> simply adding this OID to the list (assuming there is a list) should be
This is likely the only viable option if Proxy Certificate is used in
PKI.. I think that couple of small changes are needed to the X.509
certificate validation to handle this properly. I will take a look at
how easy it would be to add this into the internal X.509 implementation.
Jouni Malinen PGP id EFC895FA
More information about the HostAP