Package: network-manager Version: 1.6.2-3 Severity: normal Tags: patch upstream
Some 802.1x networks (wifi or wired) use self-signed certificates.
Wpa-supplicant has support for this, by checking sha256 sum of the
certificate instead of verifying certificate against some CA
certificate, by supplying 'hash://...' url instead of path into
'ca-cert' configuration option.
The keyfile plugin of networkmanager responsible for reading
/etc/NetworkManager/system-connections/* thinks, that ca-cert
is local path and adds /etc/NetworkManager/... before the hash.
Solution is simple: just pass the hash url from the keyfile to
wpa-supplicant as-is, as it is done for absolute paths.
(It would be nice, to have also graphical configuration for this, but
that would be a feature request to another package.)
Sha256 sum of the certificate is logged already when no certificate
check is done: Jun 7 14:51:57 chewbacca wpa_supplicant[841]: wlp3s0:
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=WMSvc-ELVIRA'
hash=c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
Then I can use the hash in the keyfile, and wpa-supplicant forbids to
send my username/pasword to any server that provides different
certificate.
Example configuration from
/etc/NetworkManager/system-connections/my_safer_8021x follows:
...
[802-1x]
ca-cert=hash://server/sha256/c640682caa9cd14bf60640f92ff59c844df363dfce800fca3416b9cb222a4cdb
eap=peap;
identity=my_user_name
password=my_password
phase2-auth=mschapv2
...
Patch allowing 'hash://' url in ca-cert follows:
diff --git a/libnm-core/nm-keyfile-reader.c b/libnm-core/nm-keyfile-reader.c
index 8adf67dd..c071264d 100644
--- a/libnm-core/nm-keyfile-reader.c
+++ b/libnm-core/nm-keyfile-reader.c
@@ -893,7 +893,7 @@ get_cert_path (const char *base_dir, const guint8
*cert_path, gsize cert_path_le
base = path = g_malloc0 (cert_path_len + 1);
memcpy (path, cert_path, cert_path_len);
+ if (path[0] == '/')
- if ((path[0] == '/') || (strncmp(path, "hash://",7)==0))
return path;
p = strrchr (path, '/');
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages network-manager depends on:
ii adduser 3.115
ii dbus 1.10.16-1
ii init-system-helpers 1.47
ii libaudit1 1:2.6.7-2
ii libbluetooth3 5.43-2
ii libc6 2.24-9
ii libglib2.0-0 2.50.3-1
ii libgnutls30 3.5.8-3
ii libgudev-1.0-0 230-3
ii libjansson4 2.9-1
ii libmm-glib0 1.6.4-1
ii libndp0 1.6-1+b1
ii libnewt0.52 0.52.19-1+b1
ii libnl-3-200 3.2.27-2
ii libnm0 1.6.2-2
ii libpam-systemd 233-5
ii libpolkit-agent-1-0 0.105-18
ii libpolkit-gobject-1-0 0.105-18
ii libreadline7 7.0-2
ii libselinux1 2.6-3+b1
ii libsoup2.4-1 2.56.0-2
ii libsystemd0 233-5
ii libteamdctl0 1.26-1+b1
ii libuuid1 2.29.2-1
ii lsb-base 9.20161125
ii policykit-1 0.105-18
ii udev 233-8
ii wpasupplicant 2:2.4-1
Versions of packages network-manager recommends:
ii crda 3.18-1
ii dnsmasq-base 2.76-5+b1
ii iptables 1.6.0+snapshot20161117-5
ii iputils-arping 3:20161105-1
ii isc-dhcp-client 4.3.5-3
ii modemmanager 1.6.4-1
ii ppp 2.4.7-1+4
Versions of packages network-manager suggests:
pn libteam-utils <none>
-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed [not included]
-- no debconf information
pgpq3WfgEO6OH.pgp
Description: OpenPGP digital signature
