Internal TLS/crypto in wpa supplicant

Bryan Kadzban bryan
Tue Jan 8 04:14:10 PST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Mahendra Prajapat wrote:
> TLSv1: Converting PEM format certificate into DER format

Not exactly sure why this is happening; can you use OpenSSL to convert
the file before handing it to wpa_supplicant?  That may (or may not!)
work better.  (Unless I misunderstand this message.)

> X509: [fields and extensions snipped]
> ASN.1: Extended tag data: 0x04
> X509: Extension: extnID=1.3.6.1.5.5.7.1.14 critical=255

That smells like an extendedKeyUsage extension?  You shouldn't need that
extension at all (unless you're trying to use it on an MS box).  And
having it set to critical is *completely* unnecessary, if that's what
that OID is.

> X509: Unknown critical extension 1.3.6.1.5.5.7.1.14

And sure enough, the critical flag is why it's failing.  Looks like the
internal TLS code doesn't understand this particular extension (although
it doesn't need to do anything special with it), and since it's marked
critical, the code fails.  (As it should -- that's the point of having a
"critical" flag.)

There are a couple options I can think of -- first would be to remove
the critical flag from the cert (you'd have to generate a new cert
though).  That way this is just a normal extension like all the others,
and you don't require every single program to understand it.  (Besides,
I believe it's a key-usage field; that's hardly something that you need
to require everything to understand.)

Second would be to remove the extension entirely, although that may mess
up other programs that use the cert.  (It would also require generating
a new cert.)

Third would be to add support for this particular extension OID to
wpa_supplicant's internal TLS, so it doesn't choke on the fact that it
doesn't understand it.  I don't think changing any behavior is needed;
simply adding this OID to the list (assuming there is a list) should be
enough.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHg2kRS5vET1Wea5wRA8vuAJ9unuEg1dO4S7o2iIEI85eH1J1+NwCgjMUY
LVXRwMG1AUcEqa+jDSP6MyY=
=Qduv
-----END PGP SIGNATURE-----



More information about the Hostap mailing list