Re: network-manager does not verify server certificate name on EAP-TLS WIFI connections

On Tue, 2021-01-26 at 15:07 +0100, IB Development Team via
networkmanager-list wrote:
W dniu 26.01.2021 o 13:49, Beniamino Galvani pisze:

Please verify if you have more than one connection for the SSID.

Only one connection is defined for this SSID and every file 
/etc/NetworkManager/system-connections has ist unique UUID.

After manually changing connection files, NM must be made aware of
changes with "nmcli connection reload". It's not necessary to
the service. Please ensure that the modifications you did to the
were picked up by NM; to do that, check if the nmcli output
the subject-match with:

Executing "nmcli connection reload" nor "systemctl restart 
network-manager" after adding subject requirements does not work. NM 
shows added subject-match (with wrong value) in

nmcli -o connection show <UUID>

results but still connects ok.

Change is applied only after WIFI connection restart from Gnome GUI
system reboot.

A connection profile is just that: a bunch of settings.

Modifying a profile (which is what `nmcli connection reload` does),
does not make the changes to the profile effective on an already
activated device.

If you modify a profile which is currently activated, the changes only
take effect after activating the profile anew (which `nmcli connection

Note that instead of changing the file manually and reloading
connections, you can instead perform the change directly through

  nmcli connection modify <UUID> 802-1x.subject-match "foobar"

When WIFI connection is established without subject-match in its
I've executed:

# nmcli connection modify <UUID> 802-1x.subject-match "wrongname"

# nmcli -o connection show <UUID> | grep subject-match
802-1x.subject-match:                   wrongname

# nmcli connection reload

# systemctl restart network-manager

Restarting NetworkManager process is almost always the wrong thing to

If you want to activate a profile, then just do that (nmcli con up). If
you modified a profile and want for the changes to take effect, (re)
activate the profile.

Connection was established successfully.

Then turned off and turned on WIFI from Gnome GUI and connection is
established with

TLS: Subject '/CN=myssid' did not match with 'wrongname'

in wpa_supplicant log. So NM restart nor "nmcli connection modify" is
not enough to apply change (but NM see the change in "nmcli -o 
connection show <UUID>").

This prints the content of the profile. That of course takes effect
immediately (during `nmcli connection modify` or `nmcli connection

If the settings of a profile are not correctly used (when activating
the profile), then that needs to be investigated. You'd do so by
enabling level=TRACE level in the log ([1]) and see what NetworkManager
tells to wpa_supplicant when activating the profile


Change in the opposite direction (removing manually subject-match 
parameter from connection config when connection is not established 
because of subject-match requirement) is applied immidiately after

# systemctl restart network-manager

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]