[Pkg-utopia-maintainers] Bug#981057: network-manager does not verify server certificate name on EAP-TLS WIFI connections
IB Development Team
dev at ib.pl
Mon Jan 25 19:20:56 GMT 2021
Package: network-manager
Version: 1.14.6-2+deb10u1
network manager configured for EAP-TLS verification in WIFI connection
config ignores server certificate verifiaction parameters other than CA
ca-cert.
With example wifi connection config...
[connection]
id=myssid
uuid=11111111-1111-1111-1111-111111111111
type=wifi
read-only=TRUE
[wifi]
mode=infrastructure
ssid=myssid
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
ca-cert=/etc/ssl/certs/myca.pem
client-cert=/etc/ssl/client-wifi-cert.pem
eap=tls;
identity=myclient
private-key=/etc/ssl/client-wifi-key.pem
private-key-password=notused
system-ca-certs=false
subject-match=anywrongname
altsubject-matches=DNS:anywrongname
domain-suffix-match=anywrongname
[ipv4]
method=auto
[ipv6]
method=ignore
...network manager connects successfully to AP that use tls server cert with
Subject: CN = myssid
Subject Alternative Name:
DNS:myssid
but it should not because of "match" requirements.
Please verify and consider fixing.
--
Regards,
Paweł Bogusławski
IB Development Team
E: dev at ib.pl
More information about the Pkg-utopia-maintainers
mailing list