On Tue, 2014-02-18 at 20:59 -0500, Pranesh Prakash wrote:
Dear all, I'm on Ubuntu with NM v0.9.8.8, and am trying to connect to a university wireless network that uses PEAP MSCHAPv2 for authentication. The instructions on their website is only for Windows and Mac, but it suggests that the certificate for authentication is "pushed" from the server side to the client, and that users need to click on "OK" (Windows) or to accept the server. On Ubuntu, I'm provided a choice between "Ignore" and "Choose CA Certificate". If I click on "Ignore", it connects fine. If I choose "Choose CA Certificate", nothing happens.
This indicates that you are using nm-applet/nm-connection-editor for version 0.9.8. "Choose CA Certificate" actually means: "I want to return to the configuration dialog and choose a certificate". So nothing happens, because you stay (return) to the configuration dialog and are expected to select a certificate. Arguably, this could be done better UI wise, which is why upstream nm-applet has a checkbox "No certificat is required" instead of this question-dialog. [ https://bugzilla.redhat.com/show_bug.cgi?id=758076 ] Also note, that you are talking about one UI client to the NetworkManager daemon. The daemon itself has no UI, but different clients exist that talk to the deamon over DBUS (nm-applet, nmcli, nmtui, Gnome shell client, plasma-nm, ...?). So, you use one of these clients to configure connections (profiles) and activate/deactivate them.
Using Wireshark, with the "eap" display filter, I checked out the packets being exchanged. It seemed that the university is using a certificate from GlobalSign (whose root certs are pre-installed in Ubuntu). I don't have access to the university's certificate itself, since I can't seem to figure out which IP address and port to point "openssl s_client -connect" at. (I've tried the DHCP server's IP address, the gateway's IP address, with the following ports: 1645, 1646, 443, and in each case I received a "connect:errno=111".) If I go to Edit Connections > YaleSecure > Wi-Fi Security > CA certificate, and choose a certificate at random from /usr/share/ca-certificates/mozilla/, interesting things happen. A. With a GlobalSign cert selected in the "CA certificate" field. The connection succeeds.
B. With any other cert selected in the "CA certificate" field.
B1. With "Ask for this password each time" checked
"Ask for pw each time" only controls *how* NM gets the password (user input, system wide configuration, user keyring). It should make no difference in regard to certificates.
B1a. After having disconnected from a successful connection,
changed the cert in the "Wi-Fi Security" tab, and reconnected.
The connection succeeds.
B1b. After having disconnected from a successful connection AND
having disabled & re-enabled networking via the nm-applet AND changed
the cert in the "Wi-Fi Security" tab, and reconnected.
The connection fails. ("Unknown CA" in the Wireshark logs)
This is indeed strange, as said above the way how the password gets provided should have no effect. Is it possible that you typed the wrong password?
B2. Having unchecked "Ask for this password each time"
The connection succeeds.
C. With no cert selected in the "CA certificate" field.
C1. The connection succeeds iff I enter the right password and click
on "Ignore".
C2. The connection doesn't do anything if I click on "Choose CA
certificate". It doesn't provide me a file selection window. It just
remains on the same "Wi-Fi Network Authentication Required" dialogue box.
It seems there is some kind of caching going on in situation B1, and in
situation B2 the certs just aren't being compared at all. Isn't this a
security bug? And C2 seems to be a UI bug.
C2 works as expected(?) :) -- See above B1b I wouldn't expect. You might want to check that again. Other then B1b, you basically can *always* connect. I think this is because of the following: In the UI client you are using (nm-applet), you can select the CA-Certificate. With this client however, you are not able to configure *every* option that NM understands. Some obscure parameters are not exposed there. Especially, NM has a boolean parameter called "system-ca-certs". If this parameter is set to true, it will pass "ca_path" with the system wide path of certificates to wpa_supplicant. If you specified a certificate in the UI, it will pass both "ca_path" and "ca_cert" to the supplicant. That means, if your GlobalSign certificate is in your system wide store AND NM has "system-ca-certs" set, the server certificate is actually trusted. What is unexpected to you, is that when you create a connection in nm-applet/nm-connection-editor, it will set "system-ca-certs" to "true" and you have no way to disable it via nm-applet alone. That's why nm-applet changed in this regard upstream: https://git.gnome.org/browse/network-manager-applet/commit/?id=c798c40c5dce3bc6d9b615621cefe59660b5a504 So, try to edit the configfile in /etc/NetworkManager/system-connections manually and set this parameter to "false". Depending on your configuration, NM will immediately pickup the change of the file (it will tell you in its logfile when it reloads the configuration from file). Then you should *only* be able to connect if you did not select a ca_cert in the UI (Ignore) or if you provide a valid certificate. ciao Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part