3.2.7.1 TLS Session Established Successfully

  • Article

If the TLS session established successfully:

inputParameter: TLS message

outputParamter:

  • CtxtHandle (a context handle returned by TLS layer)

  • Server Certificate (The certificate as received from the server by the TLS layer. The server certificate is a X.509 certificate as described in [RFC5280]. It is made available as part of the TLS handshake as specified in section 7.4.2 of [RFC2246].)

  • isSessionResumed (a Boolean flag indicating whether the underlying TLS session is resumed (as defined in sections 7.3 and F.1.4 of [RFC2246]); TRUE indicates that the TLS session is resumed.)

This event will be received from the TLS layer in response to a TLS message passed to it by the PEAP layer during phase 1. If the currentState variable is not set to PEAP_PHASE1_INPROGRESS, ignore this event. Otherwise, the PEAP layer MUST take the following actions:

  1. The following processing MUST be done if isValidateServerCertEnabled is TRUE:

    1. The trust anchor of the server certificate MUST be validated against the certificates in a trust root <14>as specified in section 6.1 of [RFC5280]. If the validation fails, then prepare a TLS alert message with AlertDescription set to unknown_ca (section 7.2 of [RFC2246]) and go to Step 5.

    2. Validate that the SHA1 hash ([RFC3174]) of the certificate which matched the trust anchor of the server certificate in the preceding step is present in TrustedCertHashInfoList.

    3. If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames.

    4. If any of the validations in either of the two preceding steps fails and isPromptForValidationDisabled is set to FALSE, the implementation could take user's consent on whether the authentication succeeded. If the user has chosen to fail the authentication, or if isPromptForValidationDisabled is set to TRUE and validations in either of the two preceding steps fail, prepare a TLS Alert message with AlertDescription set to access_denied (section 7.2 [RFC2246]). The currentState continues to be same. Go to Step 5.

  2. Store the CtxtHandle returned by the TLS layer.

  3. If isSessionResumed and isFastReconnectConfigured are set to TRUE, then set isFastReconnectAllowed to TRUE; otherwise set it to FALSE.

  4. Change currentState to TUNNEL_ESTABLISHED.

  5. Prepare an EAP response packet as specified in [RFC5216] section 3.2.

  6. Change the packet Type field to PEAP [IANA-EAP], and then send the packet to the server.