path: root/wpa_supplicant/wpa_supplicant.conf
diff options
authorJouni Malinen <j@w1.fi>2013-06-29 21:54:24 (GMT)
committerJouni Malinen <j@w1.fi>2013-06-29 22:01:15 (GMT)
commit080585c01a1e0ffc42577dd10d475f3ab01d0280 (patch)
tree3c368b26322438b273246fb59d6c79ad443043c2 /wpa_supplicant/wpa_supplicant.conf
parent72950ed24085568f4fe70a87e90d946e9665cbfc (diff)
Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be configured to use OCSP stapling (TLS certificate status request) with ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP response before connection is allowed to continue. hostapd as EAP server can be configured to return cached OCSP response using the new ocsp_stapling_response parameter and an external mechanism for updating the response data (e.g., "openssl ocsp ..." command). This allows wpa_supplicant to verify that the server certificate has not been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before actual data connection has been established (i.e., when a CRL could not be fetched even if a distribution point were specified). Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wpa_supplicant.conf')
1 files changed, 5 insertions, 0 deletions
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 8e21a3a..d73d371 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -815,6 +815,11 @@ fast_reauth=1
# interface used for EAPOL. The default value is suitable for most
# cases.
+# ocsp: Whether to use/require OCSP to check server certificate
+# 0 = do not use OCSP stapling (TLS certificate status extension)
+# 1 = try to use OCSP stapling, but not require response
+# 2 = require valid OCSP stapling response
# EAP-FAST variables:
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
# to create this file and write updates to it when PAC is being