<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>If I run wpa_supplicant doing EAP_TLS where the device certificate PKCS#12 file also contains the intermediate<br>certificate that signed the device certificate, I get an odd behavior leading to unexpected auth failures.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If the server fails the authentication then on the next attempt the supplicant will send it’s certificate and<br>two copies of the extra certificate. On the following attempt it will send three copies of the extra cert.<br>This continues as long as the supplicant continues to try to authenticate.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If the authentication issue is resolved *<b>without restarting</b>* the supplicant (e.g. updating a CA Cert on the<br>server and restarting the server) then the supplicant will send (e.g.) 40 copies of the intermediate cert in an<o:p></o:p></p><p class=MsoNormal>Eap request that’s maybe 30k octets. At this point the server will still fail the authentication because of the number of <br>certs/size of the EAP request. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Note: This is a required use case where the intermediate cert must be included with the device certificate rather than<br>just putting in on the server. The intermediate cert is signed by a CA chain that is on the server.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I believe I’m running V2.2, but I see nothing related to this in the change log for 2.3 or 2.4.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It would appear that:<o:p></o:p></p><p class=MsoNormal>- tls_parse_pkcs12() is getting called before each authentication attempt (initially, and when the previous one failed).<o:p></o:p></p><p class=MsoNormal>- The SSL_CTX being passed in is the same each time.<o:p></o:p></p><p class=MsoNormal>- tls_parse_pkcs12() calls SSL_CTX_add_extra_chain_cert() which adds the intermediate certificate.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So the list of extra_chain_certs grows with each retry.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows<o:p></o:p></p><p class=MsoNormal>seems to fix the problem:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> if (certs) {<o:p></o:p></p><p class=MsoNormal> SSL_CTX_clear_extra_chain_certs(ssl_ctx); // Remove any previous extra certs before adding them.<o:p></o:p></p><p class=MsoNormal> while ((cert = sk_X509_pop(certs)) != NULL) {<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in;text-indent:.5in'>…<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is this a reasonable fix or am I missing something/doing something wrong?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Kerwin<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>