TTLS with client certificate request enabled

Jouni Malinen j
Thu Feb 26 12:39:32 PST 2009

On Thu, Feb 26, 2009 at 03:25:43PM -0500, TianHong Zhao wrote:

> I'm looking at the possibility of enabling EAP-TTLSV0/MSCHAPV2 with
> client certificate request, inspired by the following comments in
> "eap_config.h":

> I use the peer/server code in the eap_example, and configure the
> client_cert ,private_key and private_key_passwd in the
> "eap_example_peer.c", but I do not get the "write certificate request A"
> from the server, do I miss anything ? 

You will need to configure the server to require client certificate

> How to enable TTLS with client certificate request ? 

There is no generic configuration option for this, but you can hardcode
EAP-TTLS server to do this with following change:

diff --git a/src/eap_server/eap_ttls.c b/src/eap_server/eap_ttls.c
index b097ab2..a6fe1e8 100644
--- a/src/eap_server/eap_ttls.c
+++ b/src/eap_server/eap_ttls.c
@@ -400,7 +400,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
 		data->ttls_version = 0;
-	if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
+	if (eap_server_tls_ssl_init(sm, &data->ssl, 1)) {
 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
 		eap_ttls_reset(sm, data);
 		return NULL;

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list