Reject expired certificates
Jouni Malinen
j
Wed Mar 18 09:48:55 PDT 2009
On Wed, Mar 18, 2009 at 05:12:58PM +0100, Norbert Wegener wrote:
> For testing eap/tls authenticatiopn in freeradius I use a git
> version(around 2 month old) of eapol_test.
> This works fine in general, but I found htat eapol_test accepts expired
> certificates that the radius server hands out.
How did you configure eapol_test? If it is configured to validate the
server certificate (i.e., ca_cert is set), it should reject expired
certificates. If ca_cert is not set, the exact behavior depends on which
TLS library you are using (if I remember correctly, OpenSSL ends up
allowing the connection while the internal TLS implementation will
reject the expired certificate).
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list