mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-12-22 13:02:44 +01:00
eap-tls-common: Relax certificate chain check
Relax the pre-check for local user certificate. Before we used to check that the CA provided (if any) was used to verify both the peer identity and the local certificate chain. However, there seem to be networks that use different CAs to sign AP/Radius certificates and certificates issued to users. Drop the ca_certs argument from l_certchain_verify, but keep the call there to make sure the certificate chain is indeed a chain as a sanity check.
This commit is contained in:
parent
cdc9eb13aa
commit
45bd459711
@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (!l_certchain_verify(cert, cacerts, &error_str)) {
|
||||
if (cacerts)
|
||||
l_error("Certificate chain %s is not trusted "
|
||||
"by any CA in %s or fails verification"
|
||||
": %s", client_cert, value, error_str);
|
||||
else
|
||||
l_error("Certificate chain %s fails "
|
||||
"verification: %s",
|
||||
client_cert, error_str);
|
||||
|
||||
/*
|
||||
* Sanity check that certchain provided is valid. We do not
|
||||
* verify the certchain against the provided CA, since the
|
||||
* CA that issued user certificates might be different from
|
||||
* the one that is used to verify the peer
|
||||
*/
|
||||
if (!l_certchain_verify(cert, NULL, &error_str)) {
|
||||
l_error("Certificate chain %s fails verification: %s",
|
||||
client_cert, error_str);
|
||||
ret = -EINVAL;
|
||||
goto done;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user