Bug#981057: network-manager does not verify server certificate name on EAP-TLS WIFI connections

IB Development Team Mon, 25 Jan 2021 15:24:35 -0800

Package: network-manager
Version: 1.14.6-2+deb10u1

network manager configured for EAP-TLS verification in WIFI connectionconfig ignores server certificate verifiaction parameters other than CAca-cert.


With example wifi connection config...

    [connection]
    id=myssid
    uuid=11111111-1111-1111-1111-111111111111
    type=wifi
    read-only=TRUE

    [wifi]
    mode=infrastructure
    ssid=myssid

    [wifi-security]
    key-mgmt=wpa-eap

    [802-1x]
    ca-cert=/etc/ssl/certs/myca.pem
    client-cert=/etc/ssl/client-wifi-cert.pem
    eap=tls;
    identity=myclient
    private-key=/etc/ssl/client-wifi-key.pem
    private-key-password=notused
    system-ca-certs=false
    subject-match=anywrongname
    altsubject-matches=DNS:anywrongname
    domain-suffix-match=anywrongname

    [ipv4]
    method=auto

    [ipv6]
    method=ignore

...network manager connects successfully to AP that use tls server cert with

    Subject: CN = myssid
    Subject Alternative Name:
        DNS:myssid

but it should not because of "match" requirements.

Please verify and consider fixing.

--
Regards,
Paweł Bogusławski

IB Development Team
E: d...@ib.pl

Bug#981057: network-manager does not verify server certificate name on EAP-TLS WIFI connections

Reply via email to