Hi, first, thank you for such a detailed discussion of how to achieve priviledge separation and non-root operation!
Now for the OT part:
(Really sorry to bother, we've turned to a "Once bitten, twice shy" mindset after we learned that leaving a CA setting blank has proved disastrous in the context of WiFi supplicants. With openconnect, we're obviously apart from that kind of problems by a long shot.)
On 07.09.24 07:14, Daniel Lenski wrote:
Ooh, interesting. Reading between the lines a bit hereโฆ "leaving a CA setting blank" in WiFi enterprise authentication (802.1x) resulted in "don't validate the RADIUS server's certificate at all." So your clients then connected to forged/spoofed APs+RADIUS servers!?
Exactly. Especially Android devices used to do this in vast numbers (~30%), as of 2020 (had been even worse since at least 2008). During a change of root cert (preadating the one mentioned above) we were really troubled about our eduroam users, so many devices to set up/renew. But it went so smoothly that we got suspicious. We launched an investigation (including a real world attack) which confirmed our apprehensions. During the course of this investigation, the option "Do not validate" suddenly started to disappear from the Androids. Turns out, others had also understood the issue to its full extent and put it on their list. WPA3-R2 prohibits the presence of that option (thanks here to Stefan Winter). Now I compare this to Daniel Lenski:
You'll probably be reassured to know that openconnect (the CLI application) has not had an option to disable certificate validation altogether in many year ๐ . https://gitlab.com/openconnect/openconnect/commit/6c95e85f154f2ee24b8914ab6c0ffe555152ca7f
David Woodhouse:
Right. I figured even providing that *option* to users was a bad idea. Saw one too many "helpful" pastebin/stackexchange/whatever snippets with the --no-cert-check option, threw my toys out of the pram a little bit and ripped it out ๐
Looks like convergent evolution to me :-)) Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
