On Fri, 2012-03-09 at 15:13 +0000, John Carter wrote: > Hi, > > > I'm writing a small app that creates 802.1x profiles. I can create > profiles and connect, but I'm not sure I'm doing the right thing re > certificates for phase1 (I'm not using EAP-MSCHAPv2 and EAP-GTC. I'm > not using EAP-TLS): > > > According to > http://projects.gnome.org/NetworkManager/developers/settings-spec-08.html I > must set ca-cert to "file:///path/to/cert.der" with a trailing null byte and > I should also set ca-path to a directory that contains the certs for the > chain (as DER).
Perhaps the docs should be clarified. Setting the ca-cert value overrides the ca-path value to some degree, such that the CA cert against which the other side's certificate is checked against is the value in ca-cert if present. ca-path gets used if you either don't specify a ca-cert, or if we need some additional certificates to complete the cert chain during verification. > > I'm assuming that phase2-ca-cert and phase2-ca-path are used for > EAP-TLS and I shouldn't be concerned with them. Not quite; the phase2 stuff would only come into play if you're using EAP-TTLS. Basically, some methods have an outer, anonymous tunnel to establish encryption and then do the inner tunnel (phase2) for the authentication to hide the various details of the auth process. So the outer tunnel gets used on all the EAP methods that do encryption, and that's where the CA cert gets verified. But if you do EAP-TTLS/TLS where TLS is used as the inner tunnel then you'd populate phase2-ca-cert, phase2-client-cert, and phase2-private-key etc. At the moment the nm-connection-editor GUI doesn't allow easy configuration of EAP-TTLS/TLS but that's mainly because it's almost never used, since it doesn't provide much (if any) benefit over plain TLS. > > If I supply the chain certs do I need to supply the server cert in > ca-cert? No, you'd supply the CA chain that signed the server's certificate. > > If I supply just the ca-cert do I need the chain certs? You'll need the whole chain if you don't supply ca-path, and if you do supply ca-path, you'll need the whole chain up to the point where a major CA has signed it. So typical use would be that your organization has payed say Verisign to sign their organization-wide CA, which they then use to sign the server's certificate. The organization preloads their organizational CA and the Verisign root CA into ca-path. When the connection happens, the server certificate is retrieved which is then verified using ca-cert and if necessary additional certificates in the chain from ca-path. > > Is there anything else I need to know or do to avoid creating a big > security hole? Always set a CA certificate, and optionally set the subject match stuff to something known from the server's certificate to ensure that some rogue AP doesn't try to impersonate your server. Dan _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
