wrong time?

Jouni Malinen j
Thu May 15 12:00:15 PDT 2008


On Thu, May 15, 2008 at 12:40:53PM -0600, Jeff Sadowski wrote:
> I'm thinking I would have networks I want it to check and others I don't.
> I can mark the ones I don't check as dirty networks and ones I do check
> as more trusted. I would like a way to specify this in the wpa_supplicant.conf
> file. If I change the source to allow Ignore can I submit the patch?

OK. You should be able to change tls_process_certificate() in
src/tls/tlsv1_client_read.c to skip call to
x509_certificate_chain_validate() if ca_cert is not configured
(conn->cred->trusted_certs == NULL). This would allow you to get full
validation by setting ca_cert network option and to skip the validation
completely by leaving out ca_cert option.

Patches are always welcome, but as far as this change is concerned, I'm
not sure whether I would actually end up including it in wpa_supplicant.
I'm bit hesitant on adding this type of options that would make it
easier to end up with an insecure network by accident. Sure, it may very
well be the only option to use some networks, but I want the users to
understand the risks involved before disabling this type of validation.
Anyway, it may be useful information for others, too, so posting a
tested patch would be valuable.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list