aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
authorSam Voss <sam.voss@rockwellcollins.com>2017-08-07 16:26:33 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-31 10:51:51 (GMT)
commitdd5d325b0ac07ef73974b44c6959056030ab68ca (patch)
tree36972e2c099ee1f43e054d752b4baf4fc7221aef /hostapd
parent3518e3623fefa53848614475b128af1c0643a499 (diff)
downloadhostap-dd5d325b0ac07ef73974b44c6959056030ab68ca.zip
hostap-dd5d325b0ac07ef73974b44c6959056030ab68ca.tar.gz
hostap-dd5d325b0ac07ef73974b44c6959056030ab68ca.tar.bz2
hostapd: Add configuration option check_crl_strict
Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/hostapd.conf7
2 files changed, 9 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index b0d92ba..cb8d26f 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2489,6 +2489,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->private_key_passwd = os_strdup(pos);
} else if (os_strcmp(buf, "check_crl") == 0) {
bss->check_crl = atoi(pos);
+ } else if (os_strcmp(buf, "check_crl_strict") == 0) {
+ bss->check_crl_strict = atoi(pos);
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
bss->tls_session_lifetime = atoi(pos);
} else if (os_strcmp(buf, "tls_flags") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 6134559..e934b9f 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -904,6 +904,13 @@ eap_server=0
# 2 = check all CRLs in the certificate path
#check_crl=1
+# Specify whether to ignore certificate CRL validity time mismatches with
+# errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID.
+#
+# 0 = ignore errors
+# 1 = do not ignore errors (default)
+#check_crl_strict=1
+
# TLS Session Lifetime in seconds
# This can be used to allow TLS sessions to be cached and resumed with an
# abbreviated handshake when using EAP-TLS/TTLS/PEAP.