How to view WPA server's certificate?

Jouni Malinen j at w1.fi
Wed Nov 26 12:02:43 EST 2008


On Wed, Nov 26, 2008 at 11:12:21AM -0500, Dan Williams wrote:
> On Wed, 2008-11-26 at 16:32 +0200, Jouni Malinen wrote:
> > There is no such feature in wpa_supplicant, but it should be relatively
> > simple thing to add. The server certificate is available in
> > tls_verify_cb() in src/crypto/tls_openssl.c (assuming you are using
> > OpenSSL). wpa_supplicant is now just printing out the subject name of
> > the certification, but you could dump the full certificate (or a
> > fingerprint, etc.) here, too.
> 
> This is something we'd like to do in NetworkManager when the
> functionality becomes available in the supplicant.  I think both Mac OS
> X and Windows do this, but we'll want to also implement a real
> certificate store (like NSS or whatever) first, so that there's one
> single place where this stuff lives.

OK. So instead of dumping the full certificate, wpa_supplicant should
actually store a copy of it (or use the one in TLS library, if API
exists) and provide functions for fetching the current server
certificate (and CA chain, if needed) over control interface.

As far as certificate store is concerned, the OpenSSL wrapper in
wpa_supplicant already has support for using Windows store. Once an API
for something similar is available for Linux, that should hopefully be
relatively small change to use certificates from there instead of from a
file or smartcard.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list