Ubuntu
network-manager package

Please provide option to make NetworkManager verify only the root certificate of the signed cert chain (WPA2-Enterprise)

Bug #1023277 reported by Patrick Brueckner
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Expired
Medium
Unassigned

Bug Description

I have to use a chain certificate, that had all certificates involved in the verification of the AP. this seems uncomfortable and breaks design (of at least the eduroam networks).

The (German) eduroam networks are all signed with a certificate of the corresponding university or college CA, which is signed by the DFN (german scientific network) which is signed by Deutsche Telekom Root CA (installed by default on ubuntu)

By opting to verify the complete chain, I have to set up various configurations for various locations.

The eduroam network is designed to enable students from all over the world to log in to worldwide higher education networks with their home-university's login.

There should be an option to only verify the root certificate of the signed cert chain.

Revision history for this message
Thomas Hood (jdthood) wrote :

I found this relevant page: http://rwth.bernd-jantzen.de/eduroam/

summary: - Network Manager needs complete certificate chain WPA2-Enterprise
+ Please provide option to make NetworkManager verify only the root
+ certificate of the signed cert chain (WPA2-Enterprise)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Confirming; eduroam is just a huge pain to connect to and has been for a long while now; we should take any opportunity to fix the issues that are found.

Sadly, my university doesn't belong to eduroam yet, so I will be unable to test a fix; but I'll look at the code to see if there's a simple way to figure this out. Unfortunately, I suspect there may be some things to tweak in how wpasupplicant speaks to openssl for this to get fixed.

Perhaps as a good data point; could you try to configure your system to use just wpasupplicant to connect to that network, and see if it works better or if there is still a need for the whole chain to be validated? This would at least confirm whether there are changes to be done in NetworkManager itself.

Changed in network-manager (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Revision history for this message
Patrick Brueckner (madmuffin) wrote :

I am currently on semester break, and will not be in university before october, maybe someone else can jump in earlier?

Revision history for this message
Albert Pool (albertpool) wrote :

Is this still necessary after #1104476 has been fixed? If not, this bug can be closed.

Revision history for this message
Patrick Brueckner (madmuffin) wrote :

I'm going to verify if the fix in #1104476 is sufficient or if any changes need to be made to network-manager

Revision history for this message
Patrick Brueckner (madmuffin) wrote :

Though #1104476 it is a different solution for the problem, it should work with the new fix, as it allows to connect without verifying the certificates. (Tested just now)

Aron Xu (happyaron)
tags: added: nm-improvements
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Revision history for this message
Tony Espy (awe) wrote :

Just moved this to Incomplete, as it's been posited that the fix for bug #1104476 resolves the issue.

If anyone can confirm that this is still broken, we can investigate further.

Changed in network-manager (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for network-manager (Ubuntu) because there has been no activity for 60 days.]

Changed in network-manager (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.