[Pkg-utopia-maintainers] Bug#981057: network-manager does not verify server certificate name on EAP-TLS WIFI connections

IB Development Team dev at ib.pl
Mon Jan 25 19:20:56 GMT 2021


Package: network-manager
Version: 1.14.6-2+deb10u1


network manager configured for EAP-TLS verification in WIFI connection 
config ignores server certificate verifiaction parameters other than CA 
ca-cert.

With example wifi connection config...

     [connection]
     id=myssid
     uuid=11111111-1111-1111-1111-111111111111
     type=wifi
     read-only=TRUE

     [wifi]
     mode=infrastructure
     ssid=myssid

     [wifi-security]
     key-mgmt=wpa-eap

     [802-1x]
     ca-cert=/etc/ssl/certs/myca.pem
     client-cert=/etc/ssl/client-wifi-cert.pem
     eap=tls;
     identity=myclient
     private-key=/etc/ssl/client-wifi-key.pem
     private-key-password=notused
     system-ca-certs=false
     subject-match=anywrongname
     altsubject-matches=DNS:anywrongname
     domain-suffix-match=anywrongname

     [ipv4]
     method=auto

     [ipv6]
     method=ignore

...network manager connects successfully to AP that use tls server cert with

     Subject: CN = myssid
     Subject Alternative Name:
         DNS:myssid

but it should not because of "match" requirements.

Please verify and consider fixing.

-- 
Regards,
Paweł Bogusławski

IB Development Team
E: dev at ib.pl



More information about the Pkg-utopia-maintainers mailing list