[Pkg-utopia-maintainers] Bug#981057: marked as done (network-manager does not verify server certificate name on EAP-TLS WIFI connections)

[Debian Bug Tracking System]

Your message dated Wed, 27 Jan 2021 11:08:15 +0100
with message-id <c336ebc3-7cce-3720-8225-988d8e5f2...@debian.org>
and subject line Re: [Pkg-utopia-maintainers] Bug#981057: Bug#981057: 
network-manager does not verify server certificate name on EAP-TLS WIFI 
connections
has caused the Debian Bug report #981057,
regarding network-manager does not verify server certificate name on EAP-TLS 
WIFI connections
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
981057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981057
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: network-manager
Version: 1.14.6-2+deb10u1

network manager configured for EAP-TLS verification in WIFI connection config ignores server certificate verifiaction parameters other than CA ca-cert.

With example wifi connection config...

    [connection]
    id=myssid
    uuid=11111111-1111-1111-1111-111111111111
    type=wifi
    read-only=TRUE

    [wifi]
    mode=infrastructure
    ssid=myssid

    [wifi-security]
    key-mgmt=wpa-eap

    [802-1x]
    ca-cert=/etc/ssl/certs/myca.pem
    client-cert=/etc/ssl/client-wifi-cert.pem
    eap=tls;
    identity=myclient
    private-key=/etc/ssl/client-wifi-key.pem
    private-key-password=notused
    system-ca-certs=false
    subject-match=anywrongname
    altsubject-matches=DNS:anywrongname
    domain-suffix-match=anywrongname

    [ipv4]
    method=auto

    [ipv6]
    method=ignore

...network manager connects successfully to AP that use tls server cert with

    Subject: CN = myssid
    Subject Alternative Name:
        DNS:myssid

but it should not because of "match" requirements.

Please verify and consider fixing.

--
Regards,
Paweł Bogusławski

IB Development Team
E: d...@ib.pl

--- End Message ---

--- Begin Message ---

Am 27.01.21 um 09:08 schrieb IB Development Team:

W dniu 25.01.2021 o 20:37, Michael Biebl pisze:

I have no setup to verify this so it would be best if you file this
directly upstream as this doesn't seem to be a downstream issue.

Issue resolved in

https://mail.gnome.org/archives/networkmanager-list/2021-January/msg00014.html

Thanks for reporting back.

Regards,
Michael

--- End Message ---

_______________________________________________
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers