Hostapd 2.9 support for configuring 2 server certificates

[Hello Users]

Hi Jouni,

Could you please help me to sort out the issue in configuring 2 server
certificates at hostapd.
The already configured server certificate is about to be expired and
requirement is to support both old and new certifcates during the
transition period.

>How did you try to configure this? Did you follow the example and
documentation shown in hostapd/hostapd.conf for
server_cert2/private_key2/private_key_passwd2?

Yes, as per the documentation in hostapd.conf, I configured it as
below. ca_cert is having the certificate authority for both of these
certificates
ca_cert=/tmp/certs/ca-chain.cert.pem
server_cert=/tmp/certs/radiussrv.cert.pem
private_key=/tmp/certs/radiussrv.key.pem
private_key2=/tmp/tstserver.p12
private_key_passwd2=gwvajjjkgnap

With debug prints, we usually get the configured certificate dump
after hostapd initialization in hostapd:tls_global_set_params(). So
there it dumps only the 2nd certificate .i.e. 1st certificate is
always overwritten. I was able to connect with both of these
certificates if it is configured individually. Issue happens when 2
certificates are configured at a time. So is it really possible for
configuring 2 certificates at server side so that based on client
capability it connects with appropriate certificates ?

>Please also note the comment about the number of deployed station/supplicant
implementations having interoperability issues with this capability.

So does that mean we should not go for this option ?

Regards,
Jincy S Sam


On Sun, Oct 17, 2021 at 9:49 AM Hello Users <hellousers1987 at gmail.com> wrote:
>
> Thanks Jouni for your reply.
>
> >How did you try to configure this? Did you follow the example and
> documentation shown in hostapd/hostapd.conf for
> server_cert2/private_key2/private_key_passwd2?
>
> Yes, as per the documentation in hostapd.conf, I configured it as
> below. ca_cert is having the certificate authority for both of these
> certificates
> ca_cert=/tmp/certs/ca-chain.cert.pem
> server_cert=/tmp/certs/radiussrv.cert.pem
> private_key=/tmp/certs/radiussrv.key.pem
> private_key2=/tmp/tstserver.p12
> private_key_passwd2=gwvajjjkgnap
>
> With debug prints, we usually get the configured certificate dump
> after hostapd initialization in hostapd:tls_global_set_params(). So
> there it dumps only the 2nd certificate .i.e. 1st certificate is
> always overwritten. I was able to connect with both of these
> certificates if it is configured individually. Issue happens when 2
> certificates are configured at a time.
> So is it really possible for configuring 2 certificates at server side
> so that based on client capability it connects with appropriate
> certificates ?
>
>
> >Please also note the comment about the number of deployed station/supplicant
> implementations having interoperability issues with this capability.
>
> So does that mean we should not go for this option ?
>
> Thanks and regards.
>
> On Sat, Oct 16, 2021 at 2:25 AM Jouni Malinen <j at w1.fi> wrote:
> >
> > On Mon, Oct 11, 2021 at 06:10:11PM +0530, Hello Users wrote:
> > > Please help me in understanding the below feature.
> > > As per hostapd 2.9 change logs, it mentions support to configure 2
> > > server certificates/keys(RSA/ECC). But when I tried to configure, it
> > > only took/connected with the 2nd configured certificate. The 1st
> > > configured certificate is always overwritten. What needs to be done
> > > here to get the client connected with either of the certificates?
> >
> > How did you try to configure this? Did you follow the example and
> > documentation shown in hostapd/hostapd.conf for
> > server_cert2/private_key2/private_key_passwd2?
> >
> > Please also note the comment about number of deployed station/supplicant
> > implementations having interoperability issues with this capability.
> >
> > --
> > Jouni Malinen                                            PGP id EFC895FA