WPA Supplicant EAP-TTLS Behaviour Certificate Check
MonkZ
i+hostap at monkz.de
Fri Aug 13 03:30:32 PDT 2021
Hi,
need to know how wpa_supplicant behaves if a config like this is applied:
network={
ssid="SSID"
key_mgmt=WPA-EAP
eap=TTLS
identity="user"
anonymous_identity="anonymous"
password="password"
ca_cert="/etc/ssl/certs/*public-ca*.pem"
phase2="auth=MSCHAPV2"
}
Would *every* radius certificate signed by this public CA (or chain with
this root) be accepted?
Or is there a check against CN / SubjectAltName?
If a constraint is given with
domain_suffix_match=example.com
it does allow radius.example.com,
but does it allow radius.*malicious*example.com?
Or does the configuration has to be prefixed with a dot? To exclude
myexample.com?
Like domain_suffix_match=.example.com
Regards
MonkZ
More information about the Hostap
mailing list