WPA Supplicant EAP-TTLS Behaviour Certificate Check

MonkZ i+hostap at monkz.de
Fri Aug 13 03:30:32 PDT 2021


Hi,

need to know how wpa_supplicant behaves if a config like this is applied:

network={
   ssid="SSID"
   key_mgmt=WPA-EAP
   eap=TTLS
   identity="user"
   anonymous_identity="anonymous"
   password="password"
   ca_cert="/etc/ssl/certs/*public-ca*.pem"
   phase2="auth=MSCHAPV2"
}

Would *every* radius certificate signed by this public CA (or chain with 
this root) be accepted?

Or is there a check against CN / SubjectAltName?


If a constraint is given with

domain_suffix_match=example.com

it does allow radius.example.com,

but does it allow radius.*malicious*example.com?

Or does the configuration has to be prefixed with a dot? To exclude 
myexample.com?


Like domain_suffix_match=.example.com



Regards

MonkZ





More information about the Hostap mailing list