[PATCH v2] Add dbus signal for information about server certification
Dan Williams
dcbw
Thu Jun 30 09:31:13 PDT 2011
On Thu, 2011-06-30 at 15:20 +0800, Michael Chang wrote:
> 2011/6/30 Dan Williams <dcbw at redhat.com>:
> > 1) isn't the cert hash a hex string? should that also be a byte array?
> > what is the "normal form" of the cert hash when it's used in other
> > programs? Would most clients of wpa_supplicant have to convert the hash
> > from a hex string to a binary one to use it internally, like eg pass the
> > hash to OpenSSL if they were to use OpenSSL to parse the certificate
> > data for some reason?
>
> If my understanding correct, the intended usage of this probed
> cert_hash is to pass in ca_cert config for "matching this
> certification hash in connection". The connection would be allowed
> only if the hash didn't change.
>
> ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
>
> IMHO above mechanism is especially useful that authentication server
> uses "self signed" certification. Supplicant has no root ca to
> validate it but it can choose to accept and store the hash in ca_cert
> config. This provides a way to secure system from possible MIMA attack
> in future.
>
> It should be hex string better than byte array in above usage case, right?
Yeah, if that string you post is what gets passed, then it can't be a
byte array because it has the type and hash algorithm in the string too.
I was just curious, keeping it a string is cool.
> > 2) you've already done the work, but I don't know if we care a lot about
> > the old D-Bus interface; I'd just drop that part were I submitting the
> > patch, but maybe people can use that functionality.
>
> I am fine with dropping the old D-Bus interface. The reason I added it
> is because SLED11's NetworkManager still uses old D-Bus interface. I
> hope it be included is to facilitate future backport but it's not a
> big deal. We can have a distro specific patch of course. :)
That's fine too, I was just wondering. We still use the old interface
on RHEL 6 too of course. If you're working on patches to make use of
this in NM that would rock, please submit them to the NM list too and
we'll see what we can do to roll them in.
Cheers,
Dan
More information about the Hostap
mailing list