aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
authorJared Bents <jared.bents@rockwellcollins.com>2019-01-16 15:15:01 (GMT)
committerJouni Malinen <j@w1.fi>2019-01-27 16:45:07 (GMT)
commit159a7fbdeafef10c79bbd2c205be4fdb35ee5c16 (patch)
tree48849f4208dfe4e9e87c1febcfd1edbb4c3765f5 /hostapd
parent0eb34f8f2859e8d51d52c4e7781bdb135ba1b360 (diff)
downloadhostap-159a7fbdeafef10c79bbd2c205be4fdb35ee5c16.zip
hostap-159a7fbdeafef10c79bbd2c205be4fdb35ee5c16.tar.gz
hostap-159a7fbdeafef10c79bbd2c205be4fdb35ee5c16.tar.bz2
crl_reload_interval: Add CRL reloading support
This patch adds a new flag 'crl_reload_interval' to reload CRL periodically. This can be used to reload ca_cert file and the included CRL information on every new TLS session if difference between the last reload and the current time in seconds is greater than crl_reload_interval. This reloading is used for cases where check_crl is 1 or 2 and the CRL is included in the ca_file. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/hostapd.conf13
2 files changed, 14 insertions, 1 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index e2ca278..aeec1d9 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2505,6 +2505,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->check_crl = atoi(pos);
} else if (os_strcmp(buf, "check_crl_strict") == 0) {
bss->check_crl_strict = atoi(pos);
+ } else if (os_strcmp(buf, "crl_reload_interval") == 0) {
+ bss->crl_reload_interval = atoi(pos);
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
bss->tls_session_lifetime = atoi(pos);
} else if (os_strcmp(buf, "tls_flags") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 739d367..ab37f03 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -922,7 +922,8 @@ eap_server=0
# valid CRL signed by the CA is required to be included in the ca_cert file.
# This can be done by using PEM format for CA certificate and CRL and
# concatenating these into one file. Whenever CRL changes, hostapd needs to be
-# restarted to take the new CRL into use.
+# restarted to take the new CRL into use. Alternatively, crl_reload_interval can
+# be used to configure periodic updating of the loaded CRL information.
# 0 = do not verify CRLs (default)
# 1 = check the CRL of the user certificate
# 2 = check all CRLs in the certificate path
@@ -935,6 +936,16 @@ eap_server=0
# 1 = do not ignore errors (default)
#check_crl_strict=1
+# CRL reload interval in seconds
+# This can be used to reload ca_cert file and the included CRL on every new TLS
+# session if difference between last reload and the current reload time in
+# seconds is greater than crl_reload_interval.
+# Note: If interval time is very short, CPU overhead may be negatively affected
+# and it is advised to not go below 300 seconds.
+# This is applicable only with check_crl values 1 and 2.
+# 0 = do not reload CRLs (default)
+# crl_reload_interval = 300
+
# TLS Session Lifetime in seconds
# This can be used to allow TLS sessions to be cached and resumed with an
# abbreviated handshake when using EAP-TLS/TTLS/PEAP.