Wpa supplicant as a class. Certificate problems.

Douglas Diniz dgdiniz at gmail.com
Fri Jun 27 13:27:11 EDT 2008


Well, I think I found the solution. Now I understood the TTLS algorithm. We
only need the ca cert in the client and the server cert on the server. We
don't need ca cert on server with TTLS. With freeradius we must configure
the ca cert on server and because this I thought that ca cert on server was
necessary, but with wpasupplicant/hostap isn't necessary. After studing ttls
algorithm I undestood the reason why.

With TLS we need configure ca cert both in client and server, and both
client and server certs too.

Now everything is working. :-)

On Wed, Jun 25, 2008 at 4:45 PM, Douglas Diniz <dgdiniz at gmail.com> wrote:

> Hi.
>
> I was using wpa supplicant normally in my work, authenticating with
> TTLS/Mschapv2.
> I changed wpasupplicant code to work as a class, creating a function
> interface where I send a Eap packet as parameter and the class return
> another Eap packet as response.
> To do this I used  the GIT code:
> http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree  , changing some parts
> of the code based on my needs.
>
> All is working fine, but something is very strange about the certificates.
>
> In eap_example_peer.c the certificates are load as following:
>
>     eap_ctx.eap_config.identity = (u8 *) os_strdup("user");
>     eap_ctx.eap_config.identity_len = 4;
>     eap_ctx.eap_config.password = (u8 *) os_strdup("password");
>     eap_ctx.eap_config.password_len = 8;
>     eap_ctx.eap_config.ca_cert = (u8 *) os_strdup("ca.pem");
>
> In eap_example_server.c are loaded as:
>
>     tparams.ca_cert = "ca.pem";
>     tparams.client_cert = "server.pem";
>     tparams.private_key = "server.key";
>     tparams.private_key_passwd = "whatever";
>
> This someway works. Then I changed the code to point to my certs:
>
>     peer:
>
>     eap_ctx.eap_config.identity = (u8 *) os_strdup("user");
>     eap_ctx.eap_config.identity_len = 4;
>     eap_ctx.eap_config.password = (u8 *) os_strdup("password");
>     eap_ctx.eap_config.password_len = 8;
>     eap_ctx.eap_config.ca_cert = (u8 *)
> os_strdup("/home/douglas/DougTesteWPA/certificates/cacert.pem");
>
>    server:
>
>     tparams.ca_cert = "/home/douglas/DougTesteWPA/certificates/cacert.pem";
>     tparams.client_cert =
> "/home/douglas/DougTesteWPA/certificates/server_keycert.pem";
>     tparams.private_key =
> "/home/douglas/DougTesteWPA/certificates/server_keycert.pem";
>     tparams.private_key_passwd = "doug";
>
> This also works, but the strange is:
>
> 1-)  I can change private_key_passwd to any password and the authentication
> still works!!!  This password must be the same used to create the cacert,
> right?
>
> 2-) I can change the server cacert to any other cacert and the
> authentication still works!!! In TLS/TTLS all Ca's must be the same, right?
>
> If I change server cert/key or the client ca, the authentication fails. Its
> seems that I only must have the client cacert and the server cert/key
> (derived from the client cacert) to authentication works. Then its seems
> that server cacert and private_key_passwd are not necessary.
> The strange is that authentication works. The phase 2 is working normally.
> If I change the mschapv2 user/password from server or client, authentication
> fails. Then all is ok.
>
> Someone knows what is happening?
>
> Thanks....
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080627/6f041731/attachment.htm 


More information about the HostAP mailing list