GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support

Jouni Malinen jkmaline
Thu Dec 15 20:14:28 PST 2005 

On Thu, Dec 15, 2005 at 05:47:47PM +0100, Simon Josefsson wrote:

> Right.  How you looked at other TLS implementations for Windows?
> SecureW2 include one, and even has a EAP-TTLS client:
> 
> http://www.securew2.com/uk/index.htm
> 
> Perhaps it is possible to re-use some of the code.  I did find a huge
> security hole when I looked at it briefly a while ago, so I understand
> if you wouldn't want to incorporate that code.

I did take a look at that when researching what can be done with
Schannel and other native Windows mechanisms. However, SecureW2 looked
like a complete TLS implementation that just used CAPI for low-level
functions. If I remember correctly, the source code did not look very
clean to me and I did not feel like implementing yet another TLS library
at that point since the goal was to get native TLS code into use without
having to use any additional libraries.

> Has wpa-supplicant with GnuTLS been tested under Windows?

I'm not aware of such test. For some reason, I did not even think that
GnuTLS had already been ported to Windows, but now that I take a look at
what google finds on that topic, there was indeed some discussion about
MinGW build in August. If the results of that discussion are now
included in 1.3.x versions, it should be quite easy to run
wpa_supplicant tests with GnuTLS under Windows. Do you happen to know,
whether the code can be built with MSVC or just MinGW/gcc?

> Perhaps it would be useful to separate the CAPI stuff in
> tls_openssl.c, so that retrieving the certificate and keys from the
> Windows store isn't OpenSSL specific.

Agreed, that sounds like a very good idea. I haven't looked into how
low-level private key operations could be replaced in GnuTLS, but I
would expect it to end up using something very similar to the code used
in tls_openssl.c. Private keys are not exported, so this requires
somewhat low-level code to be replaced in the TLS library.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list