[PATCH]Send whole certificate chain from file

Maciej Szmigiero mhej at o2.pl
Sat Nov 19 18:29:51 EST 2011


W dniu 19.11.2011 11:11, Jouni Malinen pisze:
> On Tue, Nov 15, 2011 at 02:03:19AM +0100, Maciej Szmigiero wrote:
>> Currently OpenSSL implementation of TLS in hostapd loads only top
>> certificate in server certificate file.
>>
>> This requires any intermediate certs to be installed on client
>> machine in order it to be able to verify server cert properly and
>> violates TLS specs (section 7.4.2) when used with such intermediate certs.
>>
>> In contrast, the GnuTLS implementation correctly loads the whole
>> chain if it's present in server certificate file.
> 
> Well, I don't think I would fully agree with these comments since the
> expected hostapd configuration would have specified the CA certificates
> in the ca_cert file, not in server_cert and that would include the
> intermediate CA certificates in the TLS handshake.

I should have clarified there that I meant the situation
where CAs for clients and servers are different and the one
for servers should not be accepted as client cert issuer.
I know it could be done with TLS cert extensions but I don't know
if OpenSSL actually uses them.

> Anyway, this looks like a reasonable change to add an option of
> configuring the intermediate CA certificates in the chain without
> explicitly marking them trusted, so applied this.
> 

Thank you very much!

Best regards,
Maciej Szmigiero



More information about the HostAP mailing list