signed server certs (was: Freeradius2 and OSX clients no TLS)
Arran Cudbard-Bell
a.cudbardb at gmail.com
Mon Mar 7 23:03:43 CET 2011
On Mar 7, 2011, at 3:57 PM, Alan Buxey wrote:
> Hi,
>
>> 1) It validates the server cert to assure it's signed by a CA it trusts
>> (possibly via a cert chain).
>>
>> 2) It then validates the certificate subject to make sure the server it
>> thought it was connecting to appears in the certificate (either as the
>> certificate subject or one of the certificate subject alternate names).
>>
>> If either 1 or 2 fails it should abort the connection.
>>
>> If it were possible on an SSL/TLS connection to impersonate another
>> server then most of PKI would be a complete failure.
>>
>> So why does this group think PKI doesn't work?
>
> check the supplicant configuration. note the parts where the client
> can be told to validate that the server has a particular CN.
>
> thats the issue. if the client knows the CA then it can be happily duped...one
> of the causes of this is with eg HTTPS, the client is told to connect to a
> particular host name entry...and there are A records to check etc. with
> 802.1X its just EAP. layer 2 physical, no way of doing anything else.
Uhuh relying on a for profit organisation to properly verify the information provided for every CSR that comes its way seems like a bad idea to me too.
-Arran
More information about the Freeradius-Users
mailing list