Cert validation on Android platforms
I know a lot of people on here run WPA2-Enterprise and may be surprised to hear that it is currently not possible to configure the supplicant on Android devices to validate the CN in cert presented by the server. Maybe someone could poke the correct person at google and get this fixed: https://code.google.com/p/android/issues/detail?id=37178 Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
I have reported this before and got the following response back from the Android security team: "This is a feature we haven't implemented yet. The initial thought was that using a private CA is sufficient to enable lot of enterprise scenarios. While that has turned out to be true, we are realizing that users are finding it increasingly difficult to keep the CA private. There are other scenarios where a public CA must be used; and that simply doesn't work. It is on our roadmap to enable full security for EAP-TLS - but I can't commit to a date for its release." I suggest people write to security@android.com to add further weight to this issue if it affects them. Nick
Some ore inside baseball: http://slashdot.org/comments.pl?sid=5725587&cid=47941819 Whether the "Android for Work" will produce something usable outside of a not-really-BYOD enterprise environment where users will consent to drastic changes to their systems remains to be seen. I also wrote the lead wpa_supplicant developer a long email about the current progress of .11u support which unfortunately puts yet another wrinkle into this mess since this option does not appear in the proper place in the configuration to be attached to an SSID-independant consortium ID. Also not confident that the ability to configure wpa_supplicant via a file dropped into the unprotected data directory will remain as is, since that's not the mist secure way to do things. ________________________________________ From: freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org [freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] on behalf of Arran Cudbard-Bell [a.cudbardb@freeradius.org] Sent: Monday, October 13, 2014 4:36 PM To: FreeRadius users mailing list Subject: Cert validation on Android platforms I know a lot of people on here run WPA2-Enterprise and may be surprised to hear that it is currently not possible to configure the supplicant on Android devices to validate the CN in cert presented by the server. Maybe someone could poke the correct person at google and get this fixed: https://code.google.com/p/android/issues/detail?id=37178 Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Arran Cudbard-Bell -
Brian Julin -
Nick Lowe