Re: WPA2-Enterprise and server certificate verification

On Mon, 2016-02-08 at 21:35 +0100, Christian Hesse wrote:
Christian Hesse <list eworm de> on Mon, 2016/02/08 21:23:
Yes, it's come up recently on too and it
likely get added  

Ah, nice. Do you have a link for the bug? I did not find it...
And is anybody working on this?

Uh, just found this one...

So this is pending since nearly ten years?

No, the bug was originally about alt_subjectmatch functionality which
was added years ago.  It then got "repurposed" by some people to
request the domain_suffix_match functionality which was first added to
wpa_supplicant in version 2.1.  After some back-and-forth with upstream
supplicant about the exact semantics of domain_suffix_match, even that
won't solve everyone's problems, but it's good enough for most people.

Part of the lag here is that there shouldn't have to be 3+ different
options for validating certificates, and people apparently cannot
figure out a good single mechanism to do so.  I think that would
ideally be a list of allowed domains to match, but the supplicant
doesn't implement that.  So we're left with domain_suffix_match which
will work for many people, but apparently not some large users (like


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]