Internal TLS/crypto in wpa supplicant

Jouni Malinen j
Tue Jan 8 06:51:08 PST 2008


On Tue, Jan 08, 2008 at 07:14:10AM -0500, Bryan Kadzban wrote:
> Mahendra Prajapat wrote:
> > TLSv1: Converting PEM format certificate into DER format
> 
> Not exactly sure why this is happening; can you use OpenSSL to convert
> the file before handing it to wpa_supplicant?  That may (or may not!)
> work better.  (Unless I misunderstand this message.)

This is just indicating base64 decoding, so there would not really be
any difference in processing after this even if the certificate were
configured in DER format.

> > X509: Extension: extnID=1.3.6.1.5.5.7.1.14 critical=255
> 
> That smells like an extendedKeyUsage extension?  You shouldn't need that
> extension at all (unless you're trying to use it on an MS box).  And
> having it set to critical is *completely* unnecessary, if that's what
> that OID is.

I think that's ProxyCertInfo which is required to be critical. The
problem with that is that the internal X.509 implementation does not
support this extension.

> Third would be to add support for this particular extension OID to
> wpa_supplicant's internal TLS, so it doesn't choke on the fact that it
> doesn't understand it.  I don't think changing any behavior is needed;
> simply adding this OID to the list (assuming there is a list) should be
> enough.

This is likely the only viable option if Proxy Certificate is used in
PKI.. I think that couple of small changes are needed to the X.509
certificate validation to handle this properly. I will take a look at
how easy it would be to add this into the internal X.509 implementation.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list