Re: WPA2-Enterprise and server certificate verification

From: Dan Williams <dcbw redhat com>
To: Christian Hesse <list eworm de>
Cc: networkmanager-list gnome org
Subject: Re: WPA2-Enterprise and server certificate verification
Date: Mon, 08 Feb 2016 16:15:15 -0600

On Mon, 2016-02-08 at 21:35 +0100, Christian Hesse wrote:

Christian Hesse <list eworm de> on Mon, 2016/02/08 21:23:

Yes, it's come up recently on bugzilla.gnome.org too and it
should
likely get added


Ah, nice. Do you have a link for the bug? I did not find it...
And is anybody working on this?


Uh, just found this one...

https://bugzilla.gnome.org/show_bug.cgi?id=341323

So this is pending since nearly ten years?


No, the bug was originally about alt_subjectmatch functionality which
was added years ago.  It then got "repurposed" by some people to
request the domain_suffix_match functionality which was first added to
wpa_supplicant in version 2.1.  After some back-and-forth with upstream
supplicant about the exact semantics of domain_suffix_match, even that
won't solve everyone's problems, but it's good enough for most people.

Part of the lag here is that there shouldn't have to be 3+ different
options for validating certificates, and people apparently cannot
figure out a good single mechanism to do so.  I think that would
ideally be a list of allowed domains to match, but the supplicant
doesn't implement that.  So we're left with domain_suffix_match which
will work for many people, but apparently not some large users (like
MIT).

Dan

References:
- WPA2-Enterprise and server certificate verification
  - From: Christian Hesse
- Re: WPA2-Enterprise and server certificate verification
  - From: Dan Williams
- Re: WPA2-Enterprise and server certificate verification
  - From: Christian Hesse
- Re: WPA2-Enterprise and server certificate verification
  - From: Christian Hesse

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]