On Mon, Jun 18, 2018 at 09:25:16AM +0200, Alejandro Pérez Méndez wrote: > I've realised that, when using EAP TTLS with no configured CA certificate, > the server certificate expiration date is not checked at all. Hence, > wpa_supplicant silently swallows an expired certificate without any > complaint at all. Is this behaviour intentional or is it a bug? I can see > scenarios where you don't want to configure a CA certificate but still would > like WPA supplicant to do not accept expired certificates. Trust root must be configured for EAP-TTLS for there to be any kind of real security. I don't see much, if any, point in checking the server certificate expiration date if there is no trust on the certificate in the first place. Any attacker could generate their own certificate with whatever expiration date if the client does not actually validate that the server certificate has a valid chain to a configured trust root. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
