Dan Williams <d...@redhat.com> on Mon, 2016/02/08 10:21: > On Mon, 2016-02-08 at 12:09 +0100, Christian Hesse wrote: > > Hello everybody, > > > > when networkmanager connects to a WPA/WPA2-Enterprise secured notwork > > it can > > check the validity of the server certificate against a CA > > certificate. > > > > Connecting to the authentication server does not include a domain > > name, > > though. So by default there is no way to check the certificate CN > > value. This > > results in a potential security issue: If anybody has a certificate > > with > > *any* CN issued by the same CA networkmanager will accept it as > > valid. > > An attacker can set up access points with same SSID and forged > > authentication > > server to phish user credentials and redirect network traffic. > > > > Since version 2.1 wpa_supplicant supports configuration option > > 'domain_suffix_match' to manually specify a domain (suffix) to match > > the > > server certificate against. 'domain_match' was added later on. > > > > I would like to see a configuration option within networkmanager for > > this > > setting. Any chance to add that? > > Yes, it's come up recently on bugzilla.gnome.org too and it should > likely get added
Ah, nice. Do you have a link for the bug? I did not find it... And is anybody working on this? > alongside the existing subject matching support. Ah, missed that. But is there a way to change this in GUI? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
pgpIK8JTviulD.pgp
Description: OpenPGP digital signature
_______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list