[PATCH RFC] Use certificate pinning to allow otherwise invalid certs
Rohit Agrawal
rohit.agrawal.mn
Tue Mar 3 17:49:56 PST 2015
Hi all,
wpa_supplicant allows one to specify the sha256 hash of a certificate,
which is currently used (in src/crypto/tls_openssl.c lines 1506-1540)
to do the following:
* if a leaf certificate is valid and the certificate is pinned, don't
check the full chain (lines 1506-1507)
* if the leaf certificate is valid and the provided certificate
doesn't match the pinned one, reject it (lines 1518-1541).
I would like to propose that the behavior be modified slightly to add
the following:
* if openssl reports that the leaf certificate is _invalid_ but it
matches the pinned certificate, accept it
My use case is connecting to a RADIUS server I do not have control
over with certificate chain problems, but due to other out-of-band
reasons I trust the leaf certificate. Currently, even if I pin the
certificate, wpa_supplicant rejects it because openssl reports that
the certificate is invalid, and wpa_supplicant then ignores the fact
that I specified a pinned cert.
If this is acceptable, the following patch implements the behavior change:
More information about the Hostap
mailing list