Re: Interactive certificate dialog?

[Dan Williams <dcbw redhat com>]

On Thu, 2009-10-29 at 14:52 -0400, Matthew Saltzman wrote:
> My employer's wireless system is undergoing maintenance and information
> about our SSL certificate for WPA has changed.  On Windows, when you are
> offered an untrusted certificate, there is a pop-up dialog asking you
> whether to accept the certificate or not.  In NetworkManager, the
> connection simply fails with no indication of what the problem is.
> 
> In my case, the solution is to hunt down a source for the appropriate
> certificate, copy it into /etc/pki/tls/certs, and set NM to point to
> that file for its cert.
> 
> Would it be possible for NM to enter into a dialog with the user about
> accepting the certificate?  If that's not acceptable, would it at least
> be possible to provide a more informative message about the cause for
> the connection failure?

This is my bright rosy future.  A system certificate store.
Unfortunately, we're not there yet.  Here's why.

1) wpa_supplicant doesn't communicate certificate validation failures
(or any failures really) up to the caller.  Thus, unless we screenscrape
the supplicant debug output, we have no way of finding out that the
failure was because the CA certificate validation failed.

2) Even if we could do that, we don't have a mechanism for the
supplicant to send the received CA certificate back up to the caller
(ie, NM) so that NM could proxy it to userspace for the user to look at.

Even just fixing #1 so that we know what the problem is would be
awesome.  We'll get there, it'll just take some time and fixes to the
supplicant.

Dan