[PATCH]Send whole certificate chain from file

Jouni Malinen j at w1.fi
Sat Nov 19 05:11:22 EST 2011


On Tue, Nov 15, 2011 at 02:03:19AM +0100, Maciej Szmigiero wrote:
> Currently OpenSSL implementation of TLS in hostapd loads only top
> certificate in server certificate file.
> 
> This requires any intermediate certs to be installed on client
> machine in order it to be able to verify server cert properly and
> violates TLS specs (section 7.4.2) when used with such intermediate certs.
> 
> In contrast, the GnuTLS implementation correctly loads the whole
> chain if it's present in server certificate file.

Well, I don't think I would fully agree with these comments since the
expected hostapd configuration would have specified the CA certificates
in the ca_cert file, not in server_cert and that would include the
intermediate CA certificates in the TLS handshake.

> This patch tries to load whole chain first in OpenSSL implementation,
> then reverts to old behavior if it fails.

Anyway, this looks like a reasonable change to add an option of
configuring the intermediate CA certificates in the chain without
explicitly marking them trusted, so applied this.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list