Re: WPA2-Enterprise and server certificate verification

From: Dan Williams <dcbw redhat com>
To: Christian Hesse <list eworm de>, networkmanager-list gnome org
Subject: Re: WPA2-Enterprise and server certificate verification
Date: Mon, 08 Feb 2016 10:21:28 -0600

On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote:

Hello everybody,

when networkmanager connects to a WPA/WPA2-Enterprise secured notwork
it can
check the validity of the server certificate against a CA
certificate.

Connecting to the authentication server does not include a domain
name,
though. So by default there is no way to check the certificate CN
value. This
results in a potential security issue: If anybody has a certificate
with
*any* CN issued by the same CA networkmanager will accept it as
valid.
An attacker can set up access points with same SSID and forged
authentication
server to phish user credentials and redirect network traffic.

Since version 2.1 wpa_supplicant supports configuration option
'domain_suffix_match' to manually specify a domain (suffix) to match
the
server certificate against. 'domain_match' was added later on.

I would like to see a configuration option within networkmanager for
this
setting. Any chance to add that?


Yes, it's come up recently on bugzilla.gnome.org too and it should
likely get added alongside the existing subject matching support.

Dan

Follow-Ups:
- Re: WPA2-Enterprise and server certificate verification
  - From: Christian Hesse

References:
- WPA2-Enterprise and server certificate verification
  - From: Christian Hesse

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]