On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote: > Hello everybody, > > when networkmanager connects to a WPA/WPA2-Enterprise secured notwork > it can > check the validity of the server certificate against a CA > certificate. > > Connecting to the authentication server does not include a domain > name, > though. So by default there is no way to check the certificate CN > value. This > results in a potential security issue: If anybody has a certificate > with > *any* CN issued by the same CA networkmanager will accept it as > valid. > An attacker can set up access points with same SSID and forged > authentication > server to phish user credentials and redirect network traffic. > > Since version 2.1 wpa_supplicant supports configuration option > 'domain_suffix_match' to manually specify a domain (suffix) to match > the > server certificate against. 'domain_match' was added later on. > > I would like to see a configuration option within networkmanager for > this > setting. Any chance to add that?
Yes, it's come up recently on bugzilla.gnome.org too and it should likely get added alongside the existing subject matching support. Dan _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
