*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: wpasupplicant
When using a wireless network in Network Manager using WPA2-EAP (PEAP,
MSCHAPv2) and choosing a CA certificate in DER format, OpenSSL fails to
load the certificate with the following error message in syslog:
wpa_supplicant[1667]: OpenSSL: tls_connection_ca_cert - Failed to load
root certificates error:00000000:lib(0):func(0):reason(0)
However, the connection is not terminated. This is a major problem since
the user is not aware that the certificate was not verified. Credentials
may be sent to a rogue network --- an attack which would have been
detected by the certificate check.
wpa_supplicant should either
1) support both DER and PEM (currently the error vanishes when using PEM) or
2) terminate the connection before sending credentials if the CA certificate
cannot be loaded.
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: wpasupplicant 0.6.10-2
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 11 12:39:28 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.utf8
SHELL=/bin/bash
SourcePackage: wpasupplicant
** Affects: wpasupplicant (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug maverick
--
wpa_supplicant ignores failed CA certificate validation
https://bugs.edge.launchpad.net/bugs/673981
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
