Bug?: Server certificate expiration is not verified when no CA certificate is provided

Alejandro Pérez Méndez alex at um.es
Tue Jun 19 06:02:28 PDT 2018


> On Mon, Jun 18, 2018 at 09:25:16AM +0200, Alejandro Pérez Méndez wrote:
>> I've realised that, when using EAP TTLS with no configured CA certificate,
>> the server certificate expiration date is not checked at all. Hence,
>> wpa_supplicant silently swallows an expired certificate without any
>> complaint at all. Is this behaviour intentional or is it a bug? I can see
>> scenarios where you don't want to configure a CA certificate but still would
>> like WPA supplicant to do not accept expired certificates.
> Trust root must be configured for EAP-TTLS for there to be any kind of
> real security. I don't see much, if any, point in checking the server
> certificate expiration date if there is no trust on the certificate in
> the first place. Any attacker could generate their own certificate with
> whatever expiration date if the client does not actually validate that
> the server certificate has a valid chain to a configured trust root.
>
Yeah, I see your point. We are using libeap directly, and using the 
server certificate fingerprint for trust. In that case, you'd like to 
trust the certificate with the specified fingerprint, but only as long 
as it is not expired.

But probably this does not make much sense in wpa_supplicant where you 
don't have fingerprint based trust.

Regards,
Alejandro



More information about the Hostap mailing list