Reject expired certificates

Jouni Malinen j
Wed Mar 18 09:48:55 PDT 2009


On Wed, Mar 18, 2009 at 05:12:58PM +0100, Norbert Wegener wrote:

> For testing eap/tls authenticatiopn in freeradius I use a  git  
> version(around 2 month old) of eapol_test.
> This works fine in general, but I found htat eapol_test accepts expired  
> certificates that the radius server hands out.

How did you configure eapol_test? If it is configured to validate the
server certificate (i.e., ca_cert is set), it should reject expired
certificates. If ca_cert is not set, the exact behavior depends on which
TLS library you are using (if I remember correctly, OpenSSL ends up
allowing the connection while the internal TLS implementation will
reject the expired certificate).

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list