OpenSSL: Fix client certificate chain building after PKCS#12 use
If wpa_supplicant was first configured with PKCS #12 -based client certificate chain and then used with another network profile that used a different certificate chain from a X.509 certificate PEM file instead of PKCS#12, the extra certificate chain was not reconstructed properly with older versions of OpenSSL that 1.0.2. This could result in the authentication failing due to the client certificate chain not being complete or including incorrect certificates. Fix this by clearing the extra certificate chain when setting up a new TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the chain using the default mechanism in case the new TLS exchange does not use PKCS#12. The following hwsim test case sequence was able to find the issue: ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
12a81b64e1
commit
21cb63fffd
1 changed files with 11 additions and 0 deletions
|
@ -2234,6 +2234,17 @@ static int tls_connection_client_cert(struct tls_connection *conn,
|
|||
if (client_cert == NULL && client_cert_blob == NULL)
|
||||
return 0;
|
||||
|
||||
#ifdef PKCS12_FUNCS
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10002000L
|
||||
/*
|
||||
* Clear previously set extra chain certificates, if any, from PKCS#12
|
||||
* processing in tls_parse_pkcs12() to allow OpenSSL to build a new
|
||||
* chain properly.
|
||||
*/
|
||||
SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
|
||||
#endif /* PKCS12_FUNCS */
|
||||
|
||||
if (client_cert_blob &&
|
||||
SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
|
||||
client_cert_blob_len) == 1) {
|
||||
|
|
Loading…
Reference in a new issue