signed server certs (was: Freeradius2 and OSX clients no TLS)

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Mar 7 22:57:57 CET 2011


Hi,

> 1) It validates the server cert to assure it's signed by a CA it trusts 
> (possibly via a cert chain).
> 
> 2) It then validates the certificate subject to make sure the server it 
> thought it was connecting to appears in the certificate (either as the 
> certificate subject or one of the certificate subject alternate names).
> 
> If either 1 or 2 fails it should abort the connection.
> 
> If it were possible on an SSL/TLS connection to impersonate another 
> server then most of PKI would be a complete failure.
> 
> So why does this group think PKI doesn't work?

check the supplicant configuration. note the parts where the client
can be told to validate that the server has a particular CN.  

thats the issue.  if the client knows the CA then it can be happily duped...one
of the causes of this is with eg HTTPS, the client is told to connect to a 
particular host name entry...and there are A records to check etc. with
802.1X its just EAP. layer 2 physical, no way of doing anything else.

alan



More information about the Freeradius-Users mailing list