[PATCH] OpenSSL: Accept certificates marked for both server and client use

Jouni Malinen j
Sun Feb 16 00:35:53 PST 2014


On Sat, Feb 15, 2014 at 07:05:05PM -0500, Anders Kaseorg wrote:
> How am I going to supposed to explain to the MIT network team that they 
> need to ?fix? their certificate that already conforms with every published 
> specification and works with every client except wpa_supplicant 2.1?

Just to be clear: I have not and do not in any way suggest that the AAA
server certificate here should be changed.

> Okay, then it sounds like the most reasonable solution is reverting commit 
> 51e3eafb68e15e78e98ca955704be8a6c3a7b304.

Probably yes. The unfortunate part here is that there seems to be a
conflicting requirement in this area. Hopefully, that requirement can be
changed, but if not, this is going to be much wider issue and something
else is going to be needed to work around this.

> While trying to extract these certificates, I ran into both a 256-byte 
> wpa_cli limit and a 2048-byte wpa_supplicant limit on the length of that 
> control message.  After fixing the latter (will send this patch) and 
> arbitrarily bumping up the former (we should do something about that too), 
> I?ve extracted the following:

Thanks! This is exactly the information I need for trying to get the
requirement side resolved.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list