Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections

From: IB Development Team <dev ib pl>
To: Beniamino Galvani <bgalvani redhat com>
Cc: networkmanager-list gnome org
Subject: Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
Date: Tue, 26 Jan 2021 15:07:46 +0100

W dniu 26.01.2021 o 13:49, Beniamino Galvani pisze:

Please verify if you have more than one connection for the SSID.

Only one connection is defined for this SSID and every file/etc/NetworkManager/system-connections has ist unique UUID.

After manually changing connection files, NM must be made aware of the
changes with "nmcli connection reload". It's not necessary to restart
the service. Please ensure that the modifications you did to the file
were picked up by NM; to do that, check if the nmcli output contains
the subject-match with:

Executing "nmcli connection reload" nor "systemctl restartnetwork-manager" after adding subject requirements does not work. NMshows added subject-match (with wrong value) in


nmcli -o connection show <UUID>

results but still connects ok.

Change is applied only after WIFI connection restart from Gnome GUI orsystem reboot.

Note that instead of changing the file manually and reloading
connections, you can instead perform the change directly through nmcli
with:

  nmcli connection modify <UUID> 802-1x.subject-match "foobar"

When WIFI connection is established without subject-match in its configI've executed:


# nmcli connection modify <UUID> 802-1x.subject-match "wrongname"

# nmcli -o connection show <UUID> | grep subject-match
802-1x.subject-match:                   wrongname

# nmcli connection reload

# systemctl restart network-manager

Connection was established successfully.

Then turned off and turned on WIFI from Gnome GUI and connection is notestablished with


TLS: Subject '/CN=myssid' did not match with 'wrongname'

in wpa_supplicant log. So NM restart nor "nmcli connection modify" isnot enough to apply change (but NM see the change in "nmcli -oconnection show <UUID>").

Change in the opposite direction (removing manually subject-matchparameter from connection config when connection is not establishedbecause of subject-match requirement) is applied immidiately after


# systemctl restart network-manager

--
Regards,
Paweł Bogusławski

IB Development Team
E: dev ib pl

Follow-Ups:
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: Thomas Haller

References:
- network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: IB Development Team
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: Beniamino Galvani
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: IB Development Team
- Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections
  - From: Beniamino Galvani

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]