[PATCH]Send whole certificate chain from file
Jouni Malinen
j
Sat Nov 19 02:11:22 PST 2011
On Tue, Nov 15, 2011 at 02:03:19AM +0100, Maciej Szmigiero wrote:
> Currently OpenSSL implementation of TLS in hostapd loads only top
> certificate in server certificate file.
>
> This requires any intermediate certs to be installed on client
> machine in order it to be able to verify server cert properly and
> violates TLS specs (section 7.4.2) when used with such intermediate certs.
>
> In contrast, the GnuTLS implementation correctly loads the whole
> chain if it's present in server certificate file.
Well, I don't think I would fully agree with these comments since the
expected hostapd configuration would have specified the CA certificates
in the ca_cert file, not in server_cert and that would include the
intermediate CA certificates in the TLS handshake.
> This patch tries to load whole chain first in OpenSSL implementation,
> then reverts to old behavior if it fails.
Anyway, this looks like a reasonable change to add an option of
configuring the intermediate CA certificates in the chain without
explicitly marking them trusted, so applied this.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list