Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be configured to use OCSP stapling (TLS certificate status request) with ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP response before connection is allowed to continue. hostapd as EAP server can be configured to return cached OCSP response using the new ocsp_stapling_response parameter and an external mechanism for updating the response data (e.g., "openssl ocsp ..." command). This allows wpa_supplicant to verify that the server certificate has not been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before actual data connection has been established (i.e., when a CRL could not be fetched even if a distribution point were specified). Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
72950ed240
commit
080585c01a
11 changed files with 263 additions and 4 deletions
|
|
@ -148,6 +148,8 @@ int authsrv_init(struct hostapd_data *hapd)
|
|||
params.private_key = hapd->conf->private_key;
|
||||
params.private_key_passwd = hapd->conf->private_key_passwd;
|
||||
params.dh_file = hapd->conf->dh_file;
|
||||
params.ocsp_stapling_response =
|
||||
hapd->conf->ocsp_stapling_response;
|
||||
|
||||
if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) {
|
||||
wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue