Hi,
I have had a look at the options wpa_suppliant offers for verifying the
subject of the certificate of an authentication server. As of the config
documentation found here [1], the options are:
subject_match, altsubject_match, domain_suffix_match, domain_match.
As subject_match is described with "this cannot be used securely", and
domain_suffix_match can have security implications as described here [2]
it seems that the use of altsubject_match or domain_match are most
appropriate.
domain_match matches against SubjectAlternativeName and as a fallback
against the Subject field. altsubject_match matches only against the
SubjectAlternativeName without falling back to Subject. For
compatibility reasons having a fallback to the Subject field seems
appropriate.
On the other hand, altsubject_match allows to supply a list of
acceptable domains, where domain_match only accepts one domain.
Supplying a list could be handy in case multiple radius servers should
be acceptable (e.g. in a situation as described in [2]).
I would like to get some feedback on the idea of extending domain_match
to support a list of acceptable domains. I think this could be
implemented without breaking compatibility to its current behaviour.
Alternatively a new option could be created but this would probably take
a long time to be available downstream to be used by e.g. the
network-manager GUI…
Best Regards,
Niklas Goerke
[1] https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
[2] https://bugzilla.gnome.org/show_bug.cgi?id=341323#c34
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
