Re: Possible Security Bug in NM's PEAP implementation

On Tue, 2014-02-18 at 20:59 -0500, Pranesh Prakash wrote:
Dear all,
I'm on Ubuntu with NM v0.9.8.8, and am trying to connect to a university
wireless network that uses PEAP MSCHAPv2 for authentication.  The
instructions on their website is only for Windows and Mac, but it
suggests that the certificate for authentication is "pushed" from the
server side to the client, and that users need to click on "OK"
(Windows) or  to accept the server.

On Ubuntu, I'm provided a choice between "Ignore" and "Choose CA
Certificate".  If I click on "Ignore", it connects fine.  If I choose
"Choose CA Certificate", nothing happens.

This indicates that you are using nm-applet/nm-connection-editor for
version 0.9.8. "Choose CA Certificate" actually means: "I want to return
to the configuration dialog and choose a certificate". So nothing
happens, because you stay (return) to the configuration dialog and are
expected to select a certificate.

Arguably, this could be done better UI wise, which is why upstream
nm-applet has a checkbox "No certificat is required" instead of this
question-dialog. [ ]

Also note, that you are talking about one UI client to the
NetworkManager daemon. The daemon itself has no UI, but different
clients exist that talk to the deamon over DBUS (nm-applet, nmcli,
nmtui, Gnome shell client, plasma-nm, ...?). So, you use one of these
clients to configure connections (profiles) and activate/deactivate

Using Wireshark, with the "eap" display filter, I checked out the
packets being exchanged.  It seemed that the university is using a
certificate from GlobalSign (whose root certs are pre-installed in
Ubuntu).  I don't have access to the university's certificate itself,
since I can't seem to figure out which IP address and port to point
"openssl s_client -connect" at.  (I've tried the DHCP server's IP
address, the gateway's IP address, with the following ports: 1645, 1646,
443, and in each case I received a "connect:errno=111".)

If I go to Edit Connections > YaleSecure >  Wi-Fi Security > CA
certificate, and choose a certificate at random from
/usr/share/ca-certificates/mozilla/, interesting things happen.

A. With a GlobalSign cert selected in the "CA certificate" field.

   The connection succeeds.

B. With any other cert selected in the "CA certificate" field.

    B1. With "Ask for this password each time" checked

"Ask for pw each time" only controls *how* NM gets the password (user
input, system wide configuration, user keyring). It should make no
difference in regard to certificates.

        B1a. After having disconnected from a successful connection,
changed the cert in the "Wi-Fi Security" tab, and reconnected.

             The connection succeeds.

        B1b. After having disconnected from a successful connection AND
having disabled & re-enabled networking via the nm-applet AND changed
the cert in the "Wi-Fi Security" tab, and reconnected.

             The connection fails. ("Unknown CA" in the Wireshark logs)

This is indeed strange, as said above the way how the password gets
provided should have no effect. Is it possible that you typed the wrong

    B2. Having unchecked "Ask for this password each time"

        The connection succeeds.

C. With no cert selected in the "CA certificate" field.

   C1. The connection succeeds iff I enter the right password and click
on "Ignore".
   C2. The connection doesn't do anything if I click on "Choose CA
certificate".  It doesn't provide me a file selection window.  It just
remains on the same "Wi-Fi Network Authentication Required" dialogue box.
It seems there is some kind of caching going on in situation B1, and in
situation B2 the certs just aren't being compared at all.  Isn't this a
security bug?  And C2 seems to be a UI bug.

C2 works as expected(?) :) -- See above
B1b I wouldn't expect. You might want to check that again.

Other then B1b, you basically can *always* connect. I think this is
because of the following:

In the UI client you are using (nm-applet), you can select the
CA-Certificate. With this client however, you are not able to configure
*every* option that NM understands. Some obscure parameters are not
exposed there. Especially, NM has a boolean parameter called

If this parameter is set to true, it will pass "ca_path" with the system
wide path of certificates to wpa_supplicant. If you specified a
certificate in the UI, it will pass both "ca_path" and "ca_cert" to the

That means, if your GlobalSign certificate is in your system wide store
AND NM has "system-ca-certs" set, the server certificate is actually

What is unexpected to you, is that when you create a connection in
nm-applet/nm-connection-editor, it will set "system-ca-certs" to "true"
and you have no way to disable it via nm-applet alone. That's why
nm-applet changed in this regard upstream:

So, try to edit the configfile in /etc/NetworkManager/system-connections
manually and set this parameter to "false". Depending on your
configuration, NM will immediately pickup the change of the file (it
will tell you in its logfile when it reloads the configuration from
file). Then you should *only* be able to connect if you did not select a
ca_cert in the UI (Ignore) or if you provide a valid certificate.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]