wpa_supplicant ignores failed CA certificate validation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wpasupplicant (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Binary package hint: wpasupplicant
When using a wireless network in Network Manager using WPA2-EAP (PEAP, MSCHAPv2) and choosing a CA certificate in DER format, OpenSSL fails to load the certificate with the following error message in syslog:
wpa_supplicant[
However, the connection is not terminated. This is a major problem since the user is not aware that the certificate was not verified. Credentials may be sent to a rogue network --- an attack which would have been detected by the certificate check.
wpa_supplicant should either
1) support both DER and PEM (currently the error vanishes when using PEM) or
2) terminate the connection before sending credentials if the CA certificate cannot be loaded.
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: wpasupplicant 0.6.10-2
ProcVersionSign
Uname: Linux 2.6.35-22-generic x86_64
Architecture: amd64
Date: Thu Nov 11 12:39:28 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.utf8
SHELL=/bin/bash
SourcePackage: wpasupplicant
Changed in wpasupplicant (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Additionally, it seems when the PEM-Cert does not have the .pem file name extension it is not verified as well (*.crt for example).