Issue with wpa_supplicant + EAP_TLS + extra certs in the device certificate PKCS#12 file + auth failures

Jouni Malinen j at
Mon Aug 10 18:32:33 EDT 2015

On Mon, Aug 10, 2015 at 04:03:18PM -0400, Kanago, Kerwin wrote:
> Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows
> seems to fix the problem:
>                 if (certs) {
>                                 SSL_CTX_clear_extra_chain_certs(ssl_ctx);  // Remove any previous extra certs before adding them.
>                                 while ((cert = sk_X509_pop(certs)) != NULL) {
> ...
> Is this a reasonable fix or am I missing something/doing something wrong?

Alas, this function did not exist before OpenSSL 1.0.1. Taken into
account that both 0.9.8 and 1.0.0 will reach their end-of-life in less
than five months, I'm not sure whether I feel like even trying to fix
this with older OpenSSL versions.. In other words, I think I'll go with
this minimal fix for builds using OpenSSL 1.0.1 and more completely fix
and cleanup with 1.0.2 and newer.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list