Issue with wpa_supplicant + EAP_TLS + extra certs in the device certificate PKCS#12 file + auth failures

Kanago, Kerwin kkanago at ciena.com
Mon Aug 10 16:03:18 EDT 2015


If I run wpa_supplicant doing EAP_TLS where the device certificate PKCS#12 file also contains the intermediate
certificate that signed the device certificate, I get an odd behavior leading to unexpected auth failures.

If the server fails the authentication then on the next attempt the supplicant will send it's certificate and
two copies of the extra certificate. On the following attempt it will send three copies of the extra cert.
This continues as long as the supplicant continues to try to authenticate.

If the authentication issue is resolved *without restarting* the supplicant (e.g. updating a CA Cert on the
server and restarting the server) then the supplicant will send (e.g.) 40 copies of the intermediate cert in an
Eap request that's maybe 30k octets. At this point the server will still fail the authentication because of the number of
certs/size of the EAP request.

Note: This is a required use case where the intermediate cert must be included with the device certificate rather than
just putting in on the server. The intermediate cert is signed by a CA chain that is on the server.

I believe I'm running V2.2, but I see nothing related to this in the change log for 2.3 or 2.4.


It would appear that:
- tls_parse_pkcs12() is getting called before each authentication attempt (initially, and when the previous one failed).
- The SSL_CTX being passed in is the same each time.
- tls_parse_pkcs12() calls SSL_CTX_add_extra_chain_cert() which adds the intermediate certificate.

So the list of extra_chain_certs grows with each retry.

Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows
seems to fix the problem:

                if (certs) {
                                SSL_CTX_clear_extra_chain_certs(ssl_ctx);  // Remove any previous extra certs before adding them.
                                while ((cert = sk_X509_pop(certs)) != NULL) {
...


Is this a reasonable fix or am I missing something/doing something wrong?

Thanks,
Kerwin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150810/6e047f8b/attachment.htm>


More information about the HostAP mailing list