Issue with wpa_supplicant + EAP_TLS + extra certs in the device certificate PKCS#12 file + auth failures
Jouni Malinen
j
Mon Aug 10 15:32:33 PDT 2015
On Mon, Aug 10, 2015 at 04:03:18PM -0400, Kanago, Kerwin wrote:
> Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows
> seems to fix the problem:
>
> if (certs) {
> SSL_CTX_clear_extra_chain_certs(ssl_ctx); // Remove any previous extra certs before adding them.
> while ((cert = sk_X509_pop(certs)) != NULL) {
> ...
>
>
> Is this a reasonable fix or am I missing something/doing something wrong?
Alas, this function did not exist before OpenSSL 1.0.1. Taken into
account that both 0.9.8 and 1.0.0 will reach their end-of-life in less
than five months, I'm not sure whether I feel like even trying to fix
this with older OpenSSL versions.. In other words, I think I'll go with
this minimal fix for builds using OpenSSL 1.0.1 and more completely fix
and cleanup with 1.0.2 and newer.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list