[PATCH]Send whole certificate chain from file
Maciej Szmigiero
mhej
Sat Nov 19 15:29:51 PST 2011
W dniu 19.11.2011 11:11, Jouni Malinen pisze:
> On Tue, Nov 15, 2011 at 02:03:19AM +0100, Maciej Szmigiero wrote:
>> Currently OpenSSL implementation of TLS in hostapd loads only top
>> certificate in server certificate file.
>>
>> This requires any intermediate certs to be installed on client
>> machine in order it to be able to verify server cert properly and
>> violates TLS specs (section 7.4.2) when used with such intermediate certs.
>>
>> In contrast, the GnuTLS implementation correctly loads the whole
>> chain if it's present in server certificate file.
>
> Well, I don't think I would fully agree with these comments since the
> expected hostapd configuration would have specified the CA certificates
> in the ca_cert file, not in server_cert and that would include the
> intermediate CA certificates in the TLS handshake.
I should have clarified there that I meant the situation
where CAs for clients and servers are different and the one
for servers should not be accepted as client cert issuer.
I know it could be done with TLS cert extensions but I don't know
if OpenSSL actually uses them.
> Anyway, this looks like a reasonable change to add an option of
> configuring the intermediate CA certificates in the chain without
> explicitly marking them trusted, so applied this.
>
Thank you very much!
Best regards,
Maciej Szmigiero
More information about the Hostap
mailing list