Hello everybody,
when networkmanager connects to a WPA/WPA2-Enterprise secured notwork it can
check the validity of the server certificate against a CA certificate.
Connecting to the authentication server does not include a domain name,
though. So by default there is no way to check the certificate CN value. This
results in a potential security issue: If anybody has a certificate with
*any* CN issued by the same CA networkmanager will accept it as valid.
An attacker can set up access points with same SSID and forged authentication
server to phish user credentials and redirect network traffic.
Since version 2.1 wpa_supplicant supports configuration option
'domain_suffix_match' to manually specify a domain (suffix) to match the
server certificate against. 'domain_match' was added later on.
I would like to see a configuration option within networkmanager for this
setting. Any chance to add that?
--
main(a){char*c=/* Best regards, */"B?IJj;MEH"
"CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
Attachment:
pgpFy29n21sap.pgp
Description: OpenPGP digital signature