git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jouni Malinen <j@w1.fi>
	Sat, 29 Jun 2013 21:54:24 +0000 (00:54 +0300)
committer	Jouni Malinen <j@w1.fi>
	Sat, 29 Jun 2013 22:01:15 +0000 (01:01 +0300)
commit	080585c01a1e0ffc42577dd10d475f3ab01d0280
tree	3c368b26322438b273246fb59d6c79ad443043c2	tree
parent	72950ed24085568f4fe70a87e90d946e9665cbfc	commit \| diff

Add support for OCSP stapling to validate server certificate

When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>

hostapd/config_file.c		diff \| blob \| blame \| history
hostapd/hostapd.conf		diff \| blob \| blame \| history
src/ap/ap_config.c		diff \| blob \| blame \| history
src/ap/ap_config.h		diff \| blob \| blame \| history
src/ap/authsrv.c		diff \| blob \| blame \| history
src/crypto/tls.h		diff \| blob \| blame \| history
src/crypto/tls_openssl.c		diff \| blob \| blame \| history
src/eap_peer/eap_config.h		diff \| blob \| blame \| history
src/eap_peer/eap_tls_common.c		diff \| blob \| blame \| history
wpa_supplicant/config.c		diff \| blob \| blame \| history
wpa_supplicant/wpa_supplicant.conf		diff \| blob \| blame \| history