Bug?: Server certificate expiration is not verified when no CA certificate is provided

Jouni Malinen j at w1.fi
Tue Jun 19 05:47:28 PDT 2018

On Mon, Jun 18, 2018 at 09:25:16AM +0200, Alejandro Pérez Méndez wrote:
> I've realised that, when using EAP TTLS with no configured CA certificate,
> the server certificate expiration date is not checked at all. Hence,
> wpa_supplicant silently swallows an expired certificate without any
> complaint at all. Is this behaviour intentional or is it a bug? I can see
> scenarios where you don't want to configure a CA certificate but still would
> like WPA supplicant to do not accept expired certificates.

Trust root must be configured for EAP-TTLS for there to be any kind of
real security. I don't see much, if any, point in checking the server
certificate expiration date if there is no trust on the certificate in
the first place. Any attacker could generate their own certificate with
whatever expiration date if the client does not actually validate that
the server certificate has a valid chain to a configured trust root.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list