Re: Query on setting ca-path and ca-cert with dbus for 802.1x

From: Dan Williams <dcbw redhat com>
To: John Carter <jcarter identitynetworks com>
Cc: networkmanager-list gnome org
Subject: Re: Query on setting ca-path and ca-cert with dbus for 802.1x
Date: Thu, 15 Mar 2012 16:46:26 -0500

On Fri, 2012-03-09 at 15:13 +0000, John Carter wrote:
> Hi,
> 
> 
> I'm writing a small app that creates 802.1x profiles. I can create
> profiles and connect, but I'm not sure I'm doing the right thing re
> certificates for phase1 (I'm not using EAP-MSCHAPv2 and EAP-GTC. I'm
> not using EAP-TLS):
> 
> 
> According to
> http://projects.gnome.org/NetworkManager/developers/settings-spec-08.html I must set ca-cert to "file:///path/to/cert.der" with a trailing null byte and I should also set ca-path to a directory that contains the certs for the chain (as DER).

Perhaps the docs should be clarified.  Setting the ca-cert value
overrides the ca-path value to some degree, such that the CA cert
against which the other side's certificate is checked against is the
value in ca-cert if present.  ca-path gets used if you either don't
specify a ca-cert, or if we need some additional certificates to
complete the cert chain during verification.

> 
> I'm assuming that phase2-ca-cert and phase2-ca-path are used for
> EAP-TLS and I shouldn't be concerned with them.

Not quite; the phase2 stuff would only come into play if you're using
EAP-TTLS.  Basically, some methods have an outer, anonymous tunnel to
establish encryption and then do the inner tunnel (phase2) for the
authentication to hide the various details of the auth process.  So the
outer tunnel gets used on all the EAP methods that do encryption, and
that's where the CA cert gets verified.  But if you do EAP-TTLS/TLS
where TLS is used as the inner tunnel then you'd populate
phase2-ca-cert, phase2-client-cert, and phase2-private-key etc.  At the
moment the nm-connection-editor GUI doesn't allow easy configuration of
EAP-TTLS/TLS but that's mainly because it's almost never used, since it
doesn't provide much (if any) benefit over plain TLS.

> 
> If I supply the chain certs do I need to supply the server cert in
> ca-cert?

No, you'd supply the CA chain that signed the server's certificate.

> 
> If I supply just the ca-cert do I need the chain certs?

You'll need the whole chain if you don't supply ca-path, and if you do
supply ca-path, you'll need the whole chain up to the point where a
major CA has signed it.  So typical use would be that your organization
has payed say Verisign to sign their organization-wide CA, which they
then use to sign the server's certificate.  The organization preloads
their organizational CA and the Verisign root CA into ca-path.  When the
connection happens, the server certificate is retrieved which is then
verified using ca-cert and if necessary additional certificates in the
chain from ca-path.

> 
> Is there anything else I need to know or do to avoid creating a big
> security hole?

Always set a CA certificate, and optionally set the subject match stuff
to something known from the server's certificate to ensure that some
rogue AP doesn't try to impersonate your server.

Dan

Follow-Ups:
- Re: Query on setting ca-path and ca-cert with dbus for 802.1x
  - From: Ludwig Nussel

References:
- Query on setting ca-path and ca-cert with dbus for 802.1x
  - From: John Carter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]