path: root/wpa_supplicant/wpa_supplicant.conf
diff options
authorJouni Malinen <j@w1.fi>2010-02-13 09:14:23 (GMT)
committerJouni Malinen <j@w1.fi>2010-02-13 09:14:23 (GMT)
commit00468b4650998144f794762206c695c962c54734 (patch)
treed177ad63a50363525bf3717c2e4e950aa100d8be /wpa_supplicant/wpa_supplicant.conf
parentc7d711609bb13786feb5dd87923bd24967dc29f8 (diff)
Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information about server certificate chain used during TLS handshake. This can be used both to automatically probe the authentication server to figure out most likely network configuration and to get information about reasons for failed authentications. The follow new control interface events are used for this: CTRL-EVENT-EAP-PEER-CERT CTRL-EVENT-EAP-TLS-CERT-ERROR In addition, there is now an option for matching the server certificate instead of the full certificate chain for cases where a trusted CA is not configured or even known. This can be used, e.g., by first probing the network and learning the server certificate hash based on the new events and then adding a network configuration with the server certificate hash after user have accepted it. Future connections will then be allowed as long as the same server certificate is used. Authentication server probing can be done, e.g., with following configuration options: eap=TTLS PEAP TLS identity="" ca_cert="probe://" Example set of control events for this: CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe' CTRL-EVENT-EAP-FAILURE EAP authentication failed Server certificate matching is configured with ca_cert, e.g.: ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" This functionality is currently available only with OpenSSL. Other TLS libraries (including internal implementation) may be added in the future.
Diffstat (limited to 'wpa_supplicant/wpa_supplicant.conf')
1 files changed, 10 insertions, 0 deletions
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index d552014..4866ae4 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -390,6 +390,16 @@ fast_reauth=1
# a trusted CA certificate should always be configured when using
# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
# change when wpa_supplicant is run in the background.
+# Alternatively, this can be used to only perform matching of the server
+# certificate (SHA-256 hash of the DER encoded X.509 certificate). In
+# this case, the possible CA certificates in the server certificate chain
+# are ignored and only the server certificate is verified. This is
+# configured with the following format:
+# hash:://server/sha256/cert_hash_in_hex
+# For example: "hash://server/sha256/
+# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
# On Windows, trusted CA certificates can be loaded from the system
# certificate store by setting this to cert_store://<name>, e.g.,
# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".