[Pkg-freeradius-maintainers] Bug#919236: Inappropriately broad default CA for EAP configuration
Sam Hartman
hartmans at debian.org
Sun Jan 13 22:35:29 GMT 2019
package: freeradius
tags: security
version: 3.0.17+dfsg-1
severity: important
justification: Inappropriately broad default authorization
The debian freeradius package changes the default eap configuration to
use the default list of Debian certification authorities as the default
CAs for verifying client certificates for incoming EAP connections.
The package leaves the following notice in
/etc/freeradius/3.0/mods-available/eap:
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
And then proceeds to do something even worse: it sets the default CA to
the entire list of Debian trusted CAs.
As discussed by the freeradius docs, you want the default for EAP
certificates to be an organization-specific CA.
--Sam
More information about the Pkg-freeradius-maintainers
mailing list