mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-29 13:59:24 +01:00
eap-tls-common: Relax certificate chain check
Relax the pre-check for local user certificate. Before we used to check that the CA provided (if any) was used to verify both the peer identity and the local certificate chain. However, there seem to be networks that use different CAs to sign AP/Radius certificates and certificates issued to users. Drop the ca_certs argument from l_certchain_verify, but keep the call there to make sure the certificate chain is indeed a chain as a sanity check.
This commit is contained in:
parent
cdc9eb13aa
commit
45bd459711
@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!l_certchain_verify(cert, cacerts, &error_str)) {
|
/*
|
||||||
if (cacerts)
|
* Sanity check that certchain provided is valid. We do not
|
||||||
l_error("Certificate chain %s is not trusted "
|
* verify the certchain against the provided CA, since the
|
||||||
"by any CA in %s or fails verification"
|
* CA that issued user certificates might be different from
|
||||||
": %s", client_cert, value, error_str);
|
* the one that is used to verify the peer
|
||||||
else
|
*/
|
||||||
l_error("Certificate chain %s fails "
|
if (!l_certchain_verify(cert, NULL, &error_str)) {
|
||||||
"verification: %s",
|
l_error("Certificate chain %s fails verification: %s",
|
||||||
client_cert, error_str);
|
client_cert, error_str);
|
||||||
|
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user