Skip to content

manifest: hostap: Enable server certificate verification#98190

Merged
nashif merged 3 commits intozephyrproject-rtos:mainfrom
D-Triveni:enable_server_cert_verification
Nov 14, 2025
Merged

manifest: hostap: Enable server certificate verification#98190
nashif merged 3 commits intozephyrproject-rtos:mainfrom
D-Triveni:enable_server_cert_verification

Conversation

@D-Triveni
Copy link
Contributor

@D-Triveni D-Triveni commented Oct 24, 2025
edited by jukkar
Loading

Enable hostname validation for server certificate verification.

Fixes #88697
@github-actions
Copy link

github-actions bot commented Oct 24, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
hostap zephyrproject-rtos/hostap@cf05f33 zephyrproject-rtos/hostap@6086dea (main) zephyrproject-rtos/hostap@cf05f33f..6086dea5

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.
@github-actions github-actions bot added manifest manifest-hostap DNM (manifest) This PR should not be merged (controlled by action-manifest) labels Oct 24, 2025
@zephyrbot zephyrbot added area: Wi-Fi Wi-Fi size: XS A PR changing only a single line of code labels Oct 24, 2025
@krish2718
Copy link
Contributor

krish2718 commented Oct 27, 2025

I only see the revert, so, how would this feature work without any support to configure the cert details?
@krish2718 krish2718 mentioned this pull request Oct 28, 2025
Open
@valeriosetti valeriosetti removed their request for review October 29, 2025 12:19
krish2718
krish2718 reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

@krish2718 krish2718 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can also add domain_match to have a stricter subdomain check.
@MaochenWang1
Copy link
Contributor

MaochenWang1 commented Oct 30, 2025

Is domain_match a more suitable parameter for certificate verification than domain_suffix_match?
@krish2718
Copy link
Contributor

krish2718 commented Oct 30, 2025

Is domain_match a more suitable parameter for certificate verification than domain_suffix_match?

#98190 (review) IMHO we can add both and leave it to the user how strict the check needs to be.
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch from 559424b to e327970 Compare October 31, 2025 09:00
krish2718
krish2718 previously approved these changes Nov 3, 2025
View reviewed changes
krish2718
krish2718 reviewed Nov 3, 2025
View reviewed changes
@tomi-font tomi-font removed their request for review November 5, 2025 10:29
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch from e327970 to e1d436b Compare November 6, 2025 10:30
krish2718
krish2718 previously approved these changes Nov 6, 2025
View reviewed changes
@krish2718 krish2718 added this to the v4.3.0 milestone Nov 6, 2025
jukkar
jukkar reviewed Nov 6, 2025
View reviewed changes
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch 2 times, most recently from d1d2c83 to c1de2df Compare November 7, 2025 07:52
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch from c1de2df to 098d10a Compare November 7, 2025 09:43
@github-actions github-actions bot removed the DNM (manifest) This PR should not be merged (controlled by action-manifest) label Nov 7, 2025
jukkar
jukkar previously approved these changes Nov 7, 2025
View reviewed changes
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch from 098d10a to 07b8496 Compare November 7, 2025 11:15
@D-Triveni
manifest: hostap: Enable server certificate verification
0a9bd6f 
Enable hostname validation for server certificate verification.

Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
@D-Triveni
net: l2: wifi: Handle domain match and suffix match parameters
e1ba6de 
Add support to handle domain match and suffix match parameters
for proper server certification validation.

Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
@D-Triveni
doc: wifi: Add server certificate domain validation instructions
d59ef37 
Add instructions for verifying the authentication server’s certificate
domain using exact domain match and domain suffix match options.

Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
@D-Triveni D-Triveni force-pushed the enable_server_cert_verification branch from 07b8496 to d59ef37 Compare November 10, 2025 10:05
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 10, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud
@jhedberg
Copy link
Member

jhedberg commented Nov 11, 2025

The referenced issue needs to be elevated to a release blocker for the 4.3 milestone to make sense. Is that's what's being proposed here? Can it be justified?
@krish2718
Copy link
Contributor

krish2718 commented Nov 11, 2025

The referenced issue needs to be elevated to a release blocker for the 4.3 milestone to make sense. Is that's what's being proposed here? Can it be justified?

Not really, the fix was delayed, so, we missed this before RC1 as intended. I would say this is still a feature and can be skipped for 4.3.
@jhedberg jhedberg modified the milestones: v4.3.0, v4.4.0 Nov 11, 2025
@nashif nashif merged commit 0186d12 into zephyrproject-rtos:main Nov 14, 2025
38 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: Networking area: Wi-Fi Wi-Fi manifest manifest-hostap size: XS A PR changing only a single line of code

7 participants

@D-Triveni @krish2718 @MaochenWang1 @jhedberg @jukkar @nashif @zephyrbot