Issue with wpa_supplicant + EAP_TLS + extra certs in the device certificate PKCS#12 file + auth failures

Jouni Malinen j
Mon Aug 10 15:32:33 PDT 2015


On Mon, Aug 10, 2015 at 04:03:18PM -0400, Kanago, Kerwin wrote:
> Assuming this is all intended behavior EXCEPT for getting extra copies, then adding a clear_extra_chain_certs call as follows
> seems to fix the problem:
> 
>                 if (certs) {
>                                 SSL_CTX_clear_extra_chain_certs(ssl_ctx);  // Remove any previous extra certs before adding them.
>                                 while ((cert = sk_X509_pop(certs)) != NULL) {
> ...
> 
> 
> Is this a reasonable fix or am I missing something/doing something wrong?

Alas, this function did not exist before OpenSSL 1.0.1. Taken into
account that both 0.9.8 and 1.0.0 will reach their end-of-life in less
than five months, I'm not sure whether I feel like even trying to fix
this with older OpenSSL versions.. In other words, I think I'll go with
this minimal fix for builds using OpenSSL 1.0.1 and more completely fix
and cleanup with 1.0.2 and newer.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list