Re: WPA2-Enterprise and server certificate verification
On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote: > Hello everybody, > > when networkmanager connects to a WPA/WPA2-Enterprise secured notwork > it can > check the validity of the server certificate against a CA > certificate. > > Connecting to the authentication server does not include a domain > name, > though. So by default there is no way to check the certificate CN > value. This > results in a potential security issue: If anybody has a certificate > with > *any* CN issued by the same CA networkmanager will accept it as > valid. > An attacker can set up access points with same SSID and forged > authentication > server to phish user credentials and redirect network traffic. > > Since version 2.1 wpa_supplicant supports configuration option > 'domain_suffix_match' to manually specify a domain (suffix) to match > the > server certificate against. 'domain_match' was added later on. > > I would like to see a configuration option within networkmanager for > this > setting. Any chance to add that? Yes, it's come up recently on bugzilla.gnome.org too and it should likely get added alongside the existing subject matching support. Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA2-Enterprise and server certificate verification
Christian Hesseon Mon, 2016/02/08 21:23: > > Yes, it's come up recently on bugzilla.gnome.org too and it should > > likely get added > > Ah, nice. Do you have a link for the bug? I did not find it... > And is anybody working on this? Uh, just found this one... https://bugzilla.gnome.org/show_bug.cgi?id=341323 So this is pending since nearly ten years? -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Chris get my mail address:*/=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig*/b/42*2-3)*42);} pgpcODn14xH7i.pgp Description: OpenPGP digital signature ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA2-Enterprise and server certificate verification
Dan Williamson Mon, 2016/02/08 10:21: > On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote: > > Hello everybody, > > > > when networkmanager connects to a WPA/WPA2-Enterprise secured notwork > > it can > > check the validity of the server certificate against a CA > > certificate. > > > > Connecting to the authentication server does not include a domain > > name, > > though. So by default there is no way to check the certificate CN > > value. This > > results in a potential security issue: If anybody has a certificate > > with > > *any* CN issued by the same CA networkmanager will accept it as > > valid. > > An attacker can set up access points with same SSID and forged > > authentication > > server to phish user credentials and redirect network traffic. > > > > Since version 2.1 wpa_supplicant supports configuration option > > 'domain_suffix_match' to manually specify a domain (suffix) to match > > the > > server certificate against. 'domain_match' was added later on. > > > > I would like to see a configuration option within networkmanager for > > this > > setting. Any chance to add that? > > Yes, it's come up recently on bugzilla.gnome.org too and it should > likely get added Ah, nice. Do you have a link for the bug? I did not find it... And is anybody working on this? > alongside the existing subject matching support. Ah, missed that. But is there a way to change this in GUI? -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Chris get my mail address:*/=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig*/b/42*2-3)*42);} pgpIK8JTviulD.pgp Description: OpenPGP digital signature ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: WPA2-Enterprise and server certificate verification
On Mon, 2016-02-08 at 21:35 +0100, Christian Hesse wrote: > Christian Hesseon Mon, 2016/02/08 21:23: > > > Yes, it's come up recently on bugzilla.gnome.org too and it > > > should > > > likely get added > > > > Ah, nice. Do you have a link for the bug? I did not find it... > > And is anybody working on this? > > Uh, just found this one... > > https://bugzilla.gnome.org/show_bug.cgi?id=341323 > > So this is pending since nearly ten years? No, the bug was originally about alt_subjectmatch functionality which was added years ago. It then got "repurposed" by some people to request the domain_suffix_match functionality which was first added to wpa_supplicant in version 2.1. After some back-and-forth with upstream supplicant about the exact semantics of domain_suffix_match, even that won't solve everyone's problems, but it's good enough for most people. Part of the lag here is that there shouldn't have to be 3+ different options for validating certificates, and people apparently cannot figure out a good single mechanism to do so. I think that would ideally be a list of allowed domains to match, but the supplicant doesn't implement that. So we're left with domain_suffix_match which will work for many people, but apparently not some large users (like MIT). Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list