Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections

From: Beniamino Galvani <bgalvani redhat com>
To: IB Development Team <dev ib pl>
Cc: networkmanager-list gnome org
Subject: Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
Date: Tue, 26 Jan 2021 13:49:57 +0100

On Tue, Jan 26, 2021 at 01:23:46PM +0100, IB Development Team wrote:


output I can see one conn try with subject matching failure and then next
attempt that succeeded (no conn config file changed between):

Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: Trying to associate with 11:11:11:11:11:11 
(SSID='myssid' freq=2437 MHz)
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: Associated with 11:11:11:11:11:11
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) 
selected
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='<here correct 
root CA subject>' hash=[...]
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='<here correct 
intermediate CA subject>' hash=[...]
Jan 26 12:28:34 mycomp wpa_supplicant[937]: TLS: Subject '/CN=myssid' did not match with 'wrongdomain'
Jan 26 12:28:34 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5 depth=0 
subject='/CN=myssid' err='Subject mismatch'
Jan 26 12:28:34 mycomp wpa_supplicant[937]: SSL: SSL3 alert: write (local SSL3 detected an 
error):fatal:internal error
Jan 26 12:28:34 mycomp wpa_supplicant[937]: OpenSSL: openssl_handshake - SSL_connect error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-DISCONNECTED bssid=11:11:11:11:11:11 reason=23
Jan 26 12:28:35 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=1 ssid="myssid" 
auth_failures=1 duration=10 reason=AUTH_FAILED

Jan 26 12:28:35 mycomp wpa_supplicant[937]: dbus: wpa_dbus_property_changed: no property SessionLength in 
object /fi/w1/wpa_supplicant1/Interfaces/5
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-SSID-REENABLED id=1 ssid="myssid"
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: SME: Trying to authenticate with 11:11:11:11:11:11 
(SSID='myssid' freq=2437 MHz)
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: Trying to associate with 11:11:11:11:11:11 
(SSID='myssid' freq=2437 MHz)
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: Associated with 11:11:11:11:11:11
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: WPA: Key negotiation completed with 11:11:11:11:11:11 
[PTK=CCMP GTK=CCMP]
Jan 26 12:28:48 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-CONNECTED - Connection to 11:11:11:11:11:11 
completed [id=1 id_str=]
Jan 26 12:29:19 mycomp wpa_supplicant[937]: wlan0: CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-66 noise=9999 
txrate=58500


The second connection attempt (at 12:28:48) doesn't mention EAP, so
perhaps you have multiple connections profiles for the same SSID, one
using WPA-EAP and one using WPA-PSK? You can list the connection
profiles with:

 nmcli connection

and you can list the content of each of them with

 nmcli -o connection show <UUID>

Please verify if you have more than one connection for the SSID.

Further NM service restarts did not change verification - subject was still
accepted (shouldn't be).

Then I've restarted WIFI connection using Gnome UI and next connections were
failing (on subject verification in wpa_supplicant logs).

Further NM service restarts did not change verification - subject was
rejected (as it should).

I've tested it further and it seems that adding


subject-match=wrongdomain


to connection file and restarting NM is not enough to apply this requirement
- one must restart connection using Gnome UI to have it applied. Is it bug
or something else should be done after subject-match was added to NM
connection file manually?


After manually changing connection files, NM must be made aware of the
changes with "nmcli connection reload". It's not necessary to restart
the service. Please ensure that the modifications you did to the file
were picked up by NM; to do that, check if the nmcli output contains
the subject-match with:

 nmcli -o connection show <UUID>

Note that instead of changing the file manually and reloading
connections, you can instead perform the change directly through nmcli
with:

 nmcli connection modify <UUID> 802-1x.subject-match "foobar"

Instead of <UUID> you can also use the connection name, but note that
if multiple connections have the same name, only one of them will be
updated.

Beniamino

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: IB Development Team

References:
- network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: IB Development Team
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: Beniamino Galvani
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: IB Development Team

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]