On Mon, Jun 18, 2018 at 09:25:16AM +0200, Alejandro Pérez Méndez wrote:
I've realised that, when using EAP TTLS with no configured CA certificate,
the server certificate expiration date is not checked at all. Hence,
wpa_supplicant silently swallows an expired certificate without any
complaint at all. Is this behaviour intentional or is it a bug? I can see
scenarios where you don't want to configure a CA certificate but still would
like WPA supplicant to do not accept expired certificates.
Trust root must be configured for EAP-TTLS for there to be any kind of
real security. I don't see much, if any, point in checking the server
certificate expiration date if there is no trust on the certificate in
the first place. Any attacker could generate their own certificate with
whatever expiration date if the client does not actually validate that
the server certificate has a valid chain to a configured trust root.
Yeah, I see your point. We are using libeap directly, and using the
server certificate fingerprint for trust. In that case, you'd like to
trust the certificate with the specified fingerprint, but only as long
as it is not expired.
But probably this does not make much sense in wpa_supplicant where you
don't have fingerprint based trust.
Regards,
Alejandro
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
