TTLS with client certificate request enabled
Jouni Malinen
j
Thu Feb 26 12:39:32 PST 2009
On Thu, Feb 26, 2009 at 03:25:43PM -0500, TianHong Zhao wrote:
> I'm looking at the possibility of enabling EAP-TTLSV0/MSCHAPV2 with
> client certificate request, inspired by the following comments in
> "eap_config.h":
> I use the peer/server code in the eap_example, and configure the
> client_cert ,private_key and private_key_passwd in the
> "eap_example_peer.c", but I do not get the "write certificate request A"
> from the server, do I miss anything ?
You will need to configure the server to require client certificate
validation.
> How to enable TTLS with client certificate request ?
There is no generic configuration option for this, but you can hardcode
EAP-TTLS server to do this with following change:
diff --git a/src/eap_server/eap_ttls.c b/src/eap_server/eap_ttls.c
index b097ab2..a6fe1e8 100644
--- a/src/eap_server/eap_ttls.c
+++ b/src/eap_server/eap_ttls.c
@@ -400,7 +400,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
data->ttls_version = 0;
}
- if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
+ if (eap_server_tls_ssl_init(sm, &data->ssl, 1)) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
eap_ttls_reset(sm, data);
return NULL;
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list