Issue with wpa_supplicant + EAP_TLS + extra certs in the device certificate PKCS#12 file + auth failures

Jouni Malinen j
Mon Aug 10 15:18:05 PDT 2015

On Mon, Aug 10, 2015 at 04:03:18PM -0400, Kanago, Kerwin wrote:
> If the server fails the authentication then on the next attempt the supplicant will send it's certificate and
> two copies of the extra certificate. On the following attempt it will send three copies of the extra cert.

This doesn't actually need even a failure.. Any attempt to go through
EAP-TLS multiple times does this..

> If the authentication issue is resolved *without restarting* the supplicant (e.g. updating a CA Cert on the
> server and restarting the server) then the supplicant will send (e.g.) 40 copies of the intermediate cert in an
> Eap request that's maybe 30k octets. At this point the server will still fail the authentication because of the number of
> certs/size of the EAP request.

Lovely. Looks like the extra certificate option with PKCS#12 is not used
that much since this has not come up earlier..

> Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows
> seems to fix the problem:
>                 if (certs) {
>                                 SSL_CTX_clear_extra_chain_certs(ssl_ctx);  // Remove any previous extra certs before adding them.
>                                 while ((cert = sk_X509_pop(certs)) != NULL) {
> ...
> Is this a reasonable fix or am I missing something/doing something wrong?

As the initial fix, yes, that looks mostly fine and I'll make a separate
commit with just this. That said, this use of SSL_CTX here is not really
ideal like the comment just below this points out. At least
theoretically, this could result in incorrect behavior if EAP-TLS
authentication were to be run concurrently for reauthentication of the
current connection and RSN pre-authentication. Not that this is very
likely to occur in practice, it would be cleaner to move from SSL_CTX to

It looks like OpenSSL 1.0.2 added SSL_add1_chain_cert(), so I'll move to
that here when building against new enough OpenSSL version. This on its
own would also get rid of the duplication. This can also run
SSL_build_cert_chain() to rearrange the chain as needed.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list