Hello everyone, I have a project that is using hostapd with its integrated eap_server with EAP-TLS authentication. I’m running into an issue with the check_crl feature. When the crl expires it rejects all eap-tls authentication attempts with a “TLS: Certificate verification failed, error 12 (CRL has expired) depth 0” error. I have a use case/requirement that I need to continue allowing clients to authenticate even if the CRL has expired as I won’t always have the ability to download a new CRL with the current one expires. Strongswan, for example, has a “strictcrlpolicy” option that makes it tolerant an expired CRL. With this option disabled if the expiration date defined by the nextUpdate field of a CRL has been reached a warning is issued, but a peer certificate will still be accepted if it has not been revoked. I’ve looked and an option such as this doesn’t seem to exist for hostapd. Would the community be willing to consider a patch-set adding such a feature? I’m thinking of adding a new “check_crl_strict” config option that defaults to the current behavior but when set to 0 ignores the openssl error codes related to CRL validation dates. Or possibly add more options to the “check_crl” config option such that when set to 3 or 4 it behaves the same as 1 and 2 respectively but ignores the CRL validation dates. I’d appreciate any input. Thanks, David _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
