Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
- From: IB Development Team <dev ib pl>
- To: Beniamino Galvani <bgalvani redhat com>
- Cc: networkmanager-list gnome org
- Subject: Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
- Date: Tue, 26 Jan 2021 13:23:46 +0100
W dniu 26.01.2021 o 11:23, Beniamino Galvani pisze:
with NM 1.14, just I tried to connect to a EAP-TLS Wi-Fi network with
a wrong '802-1x.subject-match' and it failed complaining about the
mismatch. I don't have the setup for 'altsubject-matches' and
'domain-suffix-match', I'll try to prepare one.
I've created connection without subject-match requirement...
[connection]
id=myconn
uuid=11111111-1111-1111-1111-111111111111
type=wifi
read-only=TRUE
[wifi]
mode=infrastructure
ssid=myssid
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
eap=tls;
system-ca-certs=false
ca-cert=/etc/ssl/certs/myrootca.pem
client-cert=/etc/ssl/client-wifi-cert.pem
private-key=/etc/ssl/client-wifi-key.pem
private-key-password=notused
identity=myidentity
[ipv4]
method=auto
[ipv6]
method=ignore
...and it worked ok. Then I've added manually to this file
subject-match=wrongdomain
...in [802-1x] section and restarted NM
systemctl restart network-manager
WIFI connection was established ok.
Can you please verify if NetworkManager is passing to wpa_supplicant
the right parameters? Try to connect, and then paste the output of:
journalctl -u NetworkManager -e | grep "Config: added"
I can see "subject_match" in logs populated correctly:
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'ssid' value 'mycorrectssid'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'scan_ssid' value '1'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'bgscan' value 'simple:30:-65:300'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'key_mgmt' value 'WPA-EAP WPA-EAP-SHA256'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'eap' value 'TLS'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'fragment_size' value '1266'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'ca_cert' value '/etc/ssl/certs/myrootca.pem'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'subject_match' value 'wrongdomain'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7160]
Config: added 'private_key' value '/etc/ssl/client-wifi-key.pem'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7161]
Config: added 'private_key_passwd' value '<hidden>'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7161]
Config: added 'client_cert' value '/etc/ssl/client-wifi-cert.pem'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7161]
Config: added 'identity' value 'myidentity'
Jan 26 12:28:30 mycomp NetworkManager[17283]: <info> [1611660510.7161]
Config: added 'proactive_key_caching' value '1'
Also, it would be useful to check wpa_supplicant logs for errors.
In
LANG=C journalctl -u wpa_supplicant -e
output I can see one conn try with subject matching failure and then
next attempt that succeeded (no conn config file changed between):
Jan 26 12:28:27 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-DISCONNECTED bssid=11:11:11:11:11:11 reason=3 locally_generated=1
Jan 26 12:28:27 mycomp wpa_supplicant[937]: dbus:
wpa_dbus_property_changed: no property SessionLength in object
/fi/w1/wpa_supplicant1/Interfaces/5
Jan 26 12:28:27 mycomp wpa_supplicant[937]: wlan0: Reject scan trigger
since one is already pending
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: SME: Trying to
authenticate with 11:11:11:11:11:11 (SSID='myssid' freq=2437 MHz)
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: Trying to associate
with 11:11:11:11:11:11 (SSID='myssid' freq=2437 MHz)
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: Associated with
11:11:11:11:11:11
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-METHOD
EAP vendor 0 method 13 (TLS) selected
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='<here correct root CA
subject>' hash=[...]
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='<here correct intermediate CA
subject>' hash=[...]
Jan 26 12:28:34 mycomp wpa_supplicant[937]: TLS: Subject '/CN=myssid'
did not match with 'wrongdomain'
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5 depth=0 subject='/CN=myssid'
err='Subject mismatch'
Jan 26 12:28:34 mycomp wpa_supplicant[937]: SSL: SSL3 alert: write
(local SSL3 detected an error):fatal:internal error
Jan 26 12:28:34 mycomp wpa_supplicant[937]: OpenSSL: openssl_handshake -
SSL_connect error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-DISCONNECTED bssid=11:11:11:11:11:11 reason=23
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-SSID-TEMP-DISABLED id=1 ssid="myssid" auth_failures=1
duration=10 reason=AUTH_FAILED
Jan 26 12:28:35 mycomp wpa_supplicant[937]: dbus:
wpa_dbus_property_changed: no property SessionLength in object
/fi/w1/wpa_supplicant1/Interfaces/5
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-SSID-REENABLED id=1 ssid="myssid"
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: SME: Trying to
authenticate with 11:11:11:11:11:11 (SSID='myssid' freq=2437 MHz)
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: Trying to associate
with 11:11:11:11:11:11 (SSID='myssid' freq=2437 MHz)
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: Associated with
11:11:11:11:11:11
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: WPA: Key negotiation
completed with 11:11:11:11:11:11 [PTK=CCMP GTK=CCMP]
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-CONNECTED
- Connection to 11:11:11:11:11:11 completed [id=1 id_str=]
Jan 26 12:29:19 mycomp wpa_supplicant[937]: wlan0:
CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-66 noise=9999 txrate=58500
Further NM service restarts did not change verification - subject was
still accepted (shouldn't be).
Then I've restarted WIFI connection using Gnome UI and next connections
were failing (on subject verification in wpa_supplicant logs).
Further NM service restarts did not change verification - subject was
rejected (as it should).
I've tested it further and it seems that adding
subject-match=wrongdomain
to connection file and restarting NM is not enough to apply this
requirement - one must restart connection using Gnome UI to have it
applied. Is it bug or something else should be done after subject-match
was added to NM connection file manually?
--
Regards,
Paweł Bogusławski
IB Development Team
E: dev ib pl
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
