aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wpa_supplicant.conf
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-04-09 13:18:19 (GMT)
committerJouni Malinen <j@w1.fi>2019-04-09 13:24:38 (GMT)
commit242e857285e5e783915290102a087a6fd9da6ebc (patch)
tree488fceb9011387b91a8b9ab407e8e671f10a9b73 /wpa_supplicant/wpa_supplicant.conf
parentdcc0ccd5b0faab259a48c0cb6427b8b825ba4217 (diff)
downloadhostap-242e857285e5e783915290102a087a6fd9da6ebc.zip
hostap-242e857285e5e783915290102a087a6fd9da6ebc.tar.gz
hostap-242e857285e5e783915290102a087a6fd9da6ebc.tar.bz2
Extend domain_match and domain_suffix_match to allow list of values
These wpa_supplicant network profile parameters could be used to specify a single match string that would be used against the dNSName items in subjectAltName or CN. There may be use cases where more than one alternative match string would be useful, so extend these to allow a semicolon delimited list of values to be used (e.g., "example.org;example.com"). If any of the specified values matches any of the dNSName/CN values in the server certificate, consider the certificate as meeting this requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'wpa_supplicant/wpa_supplicant.conf')
-rw-r--r--wpa_supplicant/wpa_supplicant.conf12
1 files changed, 12 insertions, 0 deletions
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 9a472a5..a66253f 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1180,6 +1180,12 @@ fast_reauth=1
# certificate may include additional sub-level labels in addition to the
# required labels.
#
+# More than one match string can be provided by using semicolons to
+# separate the strings (e.g., example.org;example.com). When multiple
+# strings are specified, a match with any one of the values is considered
+# a sufficient match for the certificate, i.e., the conditions are ORed
+# together.
+#
# For example, domain_suffix_match=example.com would match
# test.example.com but would not match test-example.com.
# domain_match: Constraint for server domain name
@@ -1192,6 +1198,12 @@ fast_reauth=1
# no subdomains or wildcard matches are allowed. Case-insensitive
# comparison is used, so "Example.com" matches "example.com", but would
# not match "test.Example.com".
+#
+# More than one match string can be provided by using semicolons to
+# separate the strings (e.g., example.org;example.com). When multiple
+# strings are specified, a match with any one of the values is considered
+# a sufficient match for the certificate, i.e., the conditions are ORed
+# together.
# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
# (string with field-value pairs, e.g., "peapver=0" or
# "peapver=1 peaplabel=1")