certificate issues in eapol_test

Václav Mach machv at cesnet.cz
Mon Jun 10 14:03:56 PDT 2019


Hi,

i've recently been playing with eapol_test and server certificates. I've 
discovered multiple cases when eapol_test outputs (option -o) something 
incorrecly (at least in my opinion).

When using domain_match configuration option or when using CA 
certificate against which server cert is validated (or both together), 
it is possible that no server certificate is written despite being 
displayed in eapol_test output. This happens when domain_match name does 
not match server name or the CA cert does not match the server cert.

When using CA cert and the server cert matches it, the CA cert gets 
copied to the output, so it looks like the server is sending the CA cert 
itself.

There are also some cases when eapol_test writes a duplicit certificate 
in the output, but i'm not sure when exactly this happens.

Also there is missing configuration in defconfig for ipv6 support for 
eapol_test. To enable IPv6 support, i need to add: CONFIG_IPV6=y

cheers,
Vaclav
-- 
Václav Mach
tel: +420 234 680 206
CESNET, z.s.p.o.
www.cesnet.cz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3710 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20190610/57e8c65a/attachment.p7s>


More information about the Hostap mailing list