Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be configured to use OCSP stapling (TLS certificate status request) with ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP response before connection is allowed to continue. hostapd as EAP server can be configured to return cached OCSP response using the new ocsp_stapling_response parameter and an external mechanism for updating the response data (e.g., "openssl ocsp ..." command). This allows wpa_supplicant to verify that the server certificate has not been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before actual data connection has been established (i.e., when a CRL could not be fetched even if a distribution point were specified). Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
72950ed240
commit
080585c01a
11 changed files with 263 additions and 4 deletions
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
|
||||
* Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This software may be distributed under the terms of the BSD license.
|
||||
* See README for more details.
|
||||
|
|
@ -164,6 +164,10 @@ static int eap_tls_init_connection(struct eap_sm *sm,
|
|||
{
|
||||
int res;
|
||||
|
||||
if (config->ocsp)
|
||||
params->flags |= TLS_CONN_REQUEST_OCSP;
|
||||
if (config->ocsp == 2)
|
||||
params->flags |= TLS_CONN_REQUIRE_OCSP;
|
||||
data->conn = tls_connection_init(data->ssl_ctx);
|
||||
if (data->conn == NULL) {
|
||||
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue