CRL verification

[Jouni Malinen]

On Fri, Apr 21, 2006 at 02:10:47PM -0700, ifreebiz at fastmail.fm wrote:
> I am trying to find out if wpa_supplicant supports verification of the
> CRL. I can see there is a function call in tls_global_set_verify()
> defined tls.h and implemented in tls_openssl.c. But I am not sure if
> this function is used anywhere. Is that function in use? And if the CRL
> verification is supported for both TLS and TTLS?

No, it does not. CRL verification is tls_openssl.c is reserved for
hostapd (i.e., EAP server). Verifying CRL in the supplicant side is
somewhat difficult since the network connection is not usually available
when the CRL would need to be fetched from somewhere. Do you have an
authentication server that is sending out the CRL somehow as part of the
TLS handshake or would the CRL be downloaded into the client manually?

-- 
Jouni Malinen                                            PGP id EFC895FA