Re: WPA2-Enterprise and server certificate verification

2016-02-08 Thread Dan Williams 
On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote:
> Hello everybody,
> 
> when networkmanager connects to a WPA/WPA2-Enterprise secured notwork
> it can
> check the validity of the server certificate against a CA
> certificate.
> 
> Connecting to the authentication server does not include a domain
> name,
> though. So by default there is no way to check the certificate CN
> value. This
> results in a potential security issue: If anybody has a certificate
> with
> *any* CN issued by the same CA networkmanager will accept it as
> valid.
> An attacker can set up access points with same SSID and forged
> authentication
> server to phish user credentials and redirect network traffic.
> 
> Since version 2.1 wpa_supplicant supports configuration option
> 'domain_suffix_match' to manually specify a domain (suffix) to match
> the
> server certificate against. 'domain_match' was added later on.
> 
> I would like to see a configuration option within networkmanager for
> this
> setting. Any chance to add that?

Yes, it's come up recently on bugzilla.gnome.org too and it should
likely get added alongside the existing subject matching support.

Dan
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: WPA2-Enterprise and server certificate verification

2016-02-08 Thread Christian Hesse 
Christian Hesse  on Mon, 2016/02/08 21:23:
> > Yes, it's come up recently on bugzilla.gnome.org too and it should
> > likely get added  
> 
> Ah, nice. Do you have a link for the bug? I did not find it...
> And is anybody working on this?

Uh, just found this one...

https://bugzilla.gnome.org/show_bug.cgi?id=341323

So this is pending since nearly ten years?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Chris   get my mail address:*/=0;b=c[a++];)
putchar(b-1/(/*   gcc -o sig sig.c && ./sig*/b/42*2-3)*42);}


pgpcODn14xH7i.pgp
Description: OpenPGP digital signature
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: WPA2-Enterprise and server certificate verification

2016-02-08 Thread Christian Hesse 
Dan Williams  on Mon, 2016/02/08 10:21:
> On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote:
> > Hello everybody,
> > 
> > when networkmanager connects to a WPA/WPA2-Enterprise secured notwork
> > it can
> > check the validity of the server certificate against a CA
> > certificate.
> > 
> > Connecting to the authentication server does not include a domain
> > name,
> > though. So by default there is no way to check the certificate CN
> > value. This
> > results in a potential security issue: If anybody has a certificate
> > with
> > *any* CN issued by the same CA networkmanager will accept it as
> > valid.
> > An attacker can set up access points with same SSID and forged
> > authentication
> > server to phish user credentials and redirect network traffic.
> > 
> > Since version 2.1 wpa_supplicant supports configuration option
> > 'domain_suffix_match' to manually specify a domain (suffix) to match
> > the
> > server certificate against. 'domain_match' was added later on.
> > 
> > I would like to see a configuration option within networkmanager for
> > this
> > setting. Any chance to add that?  
> 
> Yes, it's come up recently on bugzilla.gnome.org too and it should
> likely get added

Ah, nice. Do you have a link for the bug? I did not find it...
And is anybody working on this?

> alongside the existing subject matching support.

Ah, missed that.
But is there a way to change this in GUI?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Chris   get my mail address:*/=0;b=c[a++];)
putchar(b-1/(/*   gcc -o sig sig.c && ./sig*/b/42*2-3)*42);}


pgpIK8JTviulD.pgp
Description: OpenPGP digital signature
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: WPA2-Enterprise and server certificate verification

2016-02-08 Thread Dan Williams 
On Mon, 2016-02-08 at 21:35 +0100, Christian Hesse wrote:
> Christian Hesse  on Mon, 2016/02/08 21:23:
> > > Yes, it's come up recently on bugzilla.gnome.org too and it
> > > should
> > > likely get added  
> > 
> > Ah, nice. Do you have a link for the bug? I did not find it...
> > And is anybody working on this?
> 
> Uh, just found this one...
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=341323
> 
> So this is pending since nearly ten years?

No, the bug was originally about alt_subjectmatch functionality which
was added years ago.  It then got "repurposed" by some people to
request the domain_suffix_match functionality which was first added to
wpa_supplicant in version 2.1.  After some back-and-forth with upstream
supplicant about the exact semantics of domain_suffix_match, even that
won't solve everyone's problems, but it's good enough for most people.

Part of the lag here is that there shouldn't have to be 3+ different
options for validating certificates, and people apparently cannot
figure out a good single mechanism to do so.  I think that would
ideally be a list of allowed domains to match, but the supplicant
doesn't implement that.  So we're left with domain_suffix_match which
will work for many people, but apparently not some large users (like
MIT).

Dan
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list