From d8858cadeb6159105c25348e3476ea9d7781a23d Mon Sep 17 00:00:00 2001 From: Christopher Wiley Date: Sun, 5 Aug 2012 00:36:08 +0300 Subject: [PATCH] OpenSSL: Fix ca_cert_verify for TPM This bit is set in the code path that handles keys and certs from places other than OpenSSL authentication engines. Setting this bit causes authentication to fail when the server provides certificates that don't match the client certificate authority. --- src/crypto/tls_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 3bbd457..860adee 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1922,6 +1922,8 @@ static int tls_connection_engine_ca_cert(void *_ssl_ctx, wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine " "to certificate store", __func__); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); + conn->ca_cert_verify = 1; + return 0; #else /* OPENSSL_NO_ENGINE */ -- 2.1.4