Re: Interactive certificate dialog?

[Matthew Saltzman <mjs clemson edu>]

On Mon, 2009-11-02 at 13:11 -0800, Dan Williams wrote: 
> On Thu, 2009-10-29 at 14:52 -0400, Matthew Saltzman wrote:
> > My employer's wireless system is undergoing maintenance and information
> > about our SSL certificate for WPA has changed.  On Windows, when you are
> > offered an untrusted certificate, there is a pop-up dialog asking you
> > whether to accept the certificate or not.  In NetworkManager, the
> > connection simply fails with no indication of what the problem is.
> > 
> > In my case, the solution is to hunt down a source for the appropriate
> > certificate, copy it into /etc/pki/tls/certs, and set NM to point to
> > that file for its cert.
> > 
> > Would it be possible for NM to enter into a dialog with the user about
> > accepting the certificate?  If that's not acceptable, would it at least
> > be possible to provide a more informative message about the cause for
> > the connection failure?
> 
> This is my bright rosy future.  A system certificate store.
> Unfortunately, we're not there yet.  Here's why.
> 
> 1) wpa_supplicant doesn't communicate certificate validation failures
> (or any failures really) up to the caller.  Thus, unless we screenscrape
> the supplicant debug output, we have no way of finding out that the
> failure was because the CA certificate validation failed.
> 
> 2) Even if we could do that, we don't have a mechanism for the
> supplicant to send the received CA certificate back up to the caller
> (ie, NM) so that NM could proxy it to userspace for the user to look at.
> 
> Even just fixing #1 so that we know what the problem is would be
> awesome.  We'll get there, it'll just take some time and fixes to the
> supplicant.

OK Thanks.  I'll be watching for it....

> 
> Dan
> 
> 
> 
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs