Skip to content

hostap: tls: Implement server name verification #88697

New issue
New issue
Open
Bug
#98190
Open
hostap: tls: Implement server name verification#88697
Bug
#98190
Assignees
jukkarkrish2718rado17sachinthegreen
Labels
Security ReviewTo be reviewed by a security expertarea: Wi-FiWi-FibugThe issue is a bug, or the PR is fixing a bugpriority: mediumMedium impact/importance bug
Milestone
v4.4.0
@krish2718

Description

@krish2718
krish2718
opened on Apr 16, 2025

Describe the bug

MbedTLS 3.6.3 now mandates servername checking unless explicitly disabled and this causes TLS handshake to fail, see https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3.

A temporary WAR #88679 to disable this has been raised, but this is a security loophole, we need to implement this in the hostap. Which already supports https://github.com/zephyrproject-rtos/hostap/blob/main/wpa_supplicant/wpa_supplicant.conf#L1329 (domain_suffix_match) option and this needs to be plumbed down till MbedTLS.

To Reproduce

Steps to reproduce the behavior:

  1. Build and Run wifi-enterprise snippet in samples/net/wifi/shell on a nRF7002DK board
  2. Test EAP-TLS
  3. Handshake fails without the above PR (WAR)

Expected behavior
TLS should pass but also in a secure way (not with the WAR)

Impact
Security vulnerability.

Logs and console output
NA

Environment (please complete the following information):

  • OS: Linux
  • Toolchain: Zephyr SDK
  • Commit SHA or Version used: Latest main 86293eb

Additional context
NA

Metadata

Metadata

Assignees

Labels

Security ReviewTo be reviewed by a security expertarea: Wi-FiWi-FibugThe issue is a bug, or the PR is fixing a bugpriority: mediumMedium impact/importance bug

Type

Bug

Projects

Wi-Fi

Status

Todo

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions