DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hostapd: Add configuration option check_crl_strict

Browse source 
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
This commit is contained in:
Sam Voss 2017-08-07 11:26:33 -05:00 committed by Jouni Malinen
parent 3518e3623f
commit dd5d325b0a
12 changed files with 36 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
eap_example/eap_example_server.c
View file

@ -88,7 +88,7 @@ static int eap_example_server_init_tls(void)
return -1;
}
if (tls_global_set_verify(eap_ctx.tls_ctx, 0)) {
if (tls_global_set_verify(eap_ctx.tls_ctx, 0, 1)) {
printf("Failed to set check_crl\n");
return -1;
}