[PATCH RFC] Use certificate pinning to allow otherwise invalid certs

Rohit Agrawal rohit.agrawal.mn
Tue Mar 3 17:49:56 PST 2015

Hi all,

wpa_supplicant allows one to specify the sha256 hash of a certificate,
which is currently used (in src/crypto/tls_openssl.c lines 1506-1540)
to do the following:
* if a leaf certificate is valid and the certificate is pinned, don't
check the full chain (lines 1506-1507)
* if the leaf certificate is valid and the provided certificate
doesn't match the pinned one, reject it (lines 1518-1541).

I would like to propose that the behavior be modified slightly to add
the following:
* if openssl reports that the leaf certificate is _invalid_ but it
matches the pinned certificate, accept it

My use case is connecting to a RADIUS server I do not have control
over with certificate chain problems, but due to other out-of-band
reasons I trust the leaf certificate. Currently, even if I pin the
certificate, wpa_supplicant rejects it because openssl reports that
the certificate is invalid, and wpa_supplicant then ignores the fact
that I specified a pinned cert.

If this is acceptable, the following patch implements the behavior change:

More information about the Hostap mailing list