[PATCH]Send whole certificate chain from file

Maciej Szmigiero mhej
Sat Nov 19 15:29:51 PST 2011

W dniu 19.11.2011 11:11, Jouni Malinen pisze:
> On Tue, Nov 15, 2011 at 02:03:19AM +0100, Maciej Szmigiero wrote:
>> Currently OpenSSL implementation of TLS in hostapd loads only top
>> certificate in server certificate file.
>> This requires any intermediate certs to be installed on client
>> machine in order it to be able to verify server cert properly and
>> violates TLS specs (section 7.4.2) when used with such intermediate certs.
>> In contrast, the GnuTLS implementation correctly loads the whole
>> chain if it's present in server certificate file.
> Well, I don't think I would fully agree with these comments since the
> expected hostapd configuration would have specified the CA certificates
> in the ca_cert file, not in server_cert and that would include the
> intermediate CA certificates in the TLS handshake.

I should have clarified there that I meant the situation
where CAs for clients and servers are different and the one
for servers should not be accepted as client cert issuer.
I know it could be done with TLS cert extensions but I don't know
if OpenSSL actually uses them.

> Anyway, this looks like a reasonable change to add an option of
> configuring the intermediate CA certificates in the chain without
> explicitly marking them trusted, so applied this.

Thank you very much!

Best regards,
Maciej Szmigiero

More information about the Hostap mailing list