Reject expired certificates
j at w1.fi
Wed Mar 18 12:48:55 EDT 2009
On Wed, Mar 18, 2009 at 05:12:58PM +0100, Norbert Wegener wrote:
> For testing eap/tls authenticatiopn in freeradius I use a git
> version(around 2 month old) of eapol_test.
> This works fine in general, but I found htat eapol_test accepts expired
> certificates that the radius server hands out.
How did you configure eapol_test? If it is configured to validate the
server certificate (i.e., ca_cert is set), it should reject expired
certificates. If ca_cert is not set, the exact behavior depends on which
TLS library you are using (if I remember correctly, OpenSSL ends up
allowing the connection while the internal TLS implementation will
reject the expired certificate).
Jouni Malinen PGP id EFC895FA
More information about the HostAP