[PATCH] TLS: Load chain certificates from client_cert file
Isaac Boukris
iboukris at gmail.com
Sun Mar 25 18:51:14 PDT 2018
Hi,
On Sun, Jan 21, 2018 at 4:36 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> This helps the server to build the chain to trusted CA.
>
> Signed-off-by: Isaac Boukris <iboukris at gmail.com>
> ---
> src/crypto/tls_openssl.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index ce73848..3d789bb 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn,
> return 0;
> }
>
> - if (SSL_use_certificate_file(conn->ssl, client_cert,
> - SSL_FILETYPE_PEM) == 1) {
> + if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
> ERR_clear_error();
> - wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
> + wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
> " --> OK");
> return 0;
> }
> --
I'd like to reference the case where I found this useful against
FreeRadius server, see:
http://lists.freeradius.org/pipermail/freeradius-users/2018-January/090245.html
I left it unconditional as I assumed that without this change it
wouldn't make much sense having the chain included.
Review appreciated.
Thank you,
Isaac B.
More information about the Hostap
mailing list