signed server certs (was: Freeradius2 and OSX clients no TLS)

Arran Cudbard-Bell a.cudbardb at gmail.com
Mon Mar 7 23:07:12 CET 2011


On Mar 7, 2011, at 4:03 PM, Arran Cudbard-Bell wrote:

> 
> On Mar 7, 2011, at 3:57 PM, Alan Buxey wrote:
> 
>> Hi,
>> 
>>> 1) It validates the server cert to assure it's signed by a CA it trusts 
>>> (possibly via a cert chain).
>>> 
>>> 2) It then validates the certificate subject to make sure the server it 
>>> thought it was connecting to appears in the certificate (either as the 
>>> certificate subject or one of the certificate subject alternate names).
>>> 
>>> If either 1 or 2 fails it should abort the connection.
>>> 
>>> If it were possible on an SSL/TLS connection to impersonate another 
>>> server then most of PKI would be a complete failure.
>>> 
>>> So why does this group think PKI doesn't work?
>> 
>> check the supplicant configuration. note the parts where the client
>> can be told to validate that the server has a particular CN.  
>> 
>> thats the issue.  if the client knows the CA then it can be happily duped...one
>> of the causes of this is with eg HTTPS, the client is told to connect to a 
>> particular host name entry...and there are A records to check etc. with
>> 802.1X its just EAP. layer 2 physical, no way of doing anything else.
> 
> Uhuh relying on a for profit organisation to properly verify the information provided for every CSR that comes its way seems like a bad idea to me too.
> 

Though I guess there's probably no box saying 'I promise not to use this certificate to harvest credentials from another one of your customers'...

and I guess that should be 3rd party...





More information about the Freeradius-Users mailing list