How to view WPA server's certificate?
Wed Nov 26 08:51:22 PST 2008
On Wed, 2008-11-26 at 11:44 -0500, Matt McCutchen wrote:
> On Wed, 2008-11-26 at 11:12 -0500, Dan Williams wrote:
> > On Wed, 2008-11-26 at 16:32 +0200, Jouni Malinen wrote:
> > > On Wed, Nov 26, 2008 at 01:47:26AM -0500, Matt McCutchen wrote:
> > >
> > > > I am using wpa_supplicant via NetworkManager to connect to my
> > > > university's WPA Enterprise wireless network. The wireless server
> > > > certificate is signed by the ThawtePremiumServerCA, which I configured
> > > > as the CA. I'd like to dump the server certificate to a file so I can
> > > > inspect it. Is there an easy way to do this? If not, I might code one
> > > > up to use myself and to offer to the project.
> > >
> > > There is no such feature in wpa_supplicant, but it should be relatively
> > > simple thing to add. The server certificate is available in
> > > tls_verify_cb() in src/crypto/tls_openssl.c (assuming you are using
> > > OpenSSL). wpa_supplicant is now just printing out the subject name of
> > > the certification, but you could dump the full certificate (or a
> > > fingerprint, etc.) here, too.
> > This is something we'd like to do in NetworkManager when the
> > functionality becomes available in the supplicant. I think both Mac OS
> > X and Windows do this, but we'll want to also implement a real
> > certificate store (like NSS or whatever) first, so that there's one
> > single place where this stuff lives.
> To be clear, are you proposing a desktop-wide certificate store that
> would be used by wpa_supplicant among applications? This is something I
> would love to see in Fedora; I may finally join the Fedora wiki in order
> to suggest this as a feature!
We've been kicking it around for a long time, but yes, we need
system-wide certificate store and possibly a per-user certificate store.
There are pieces of this already in NSS.
The basic scenario is that you'd load _all_ certificates and keys into
the cert store (or they could live on a hardware token), and the
applications would query this certificate store whenever they need
certs. Thus, instead of NetworkManager asking you for a _file_ path,
you'd simply get a certificate browser of the certs you'd already
imported. This is pretty much how Windows and OS X operate already, and
we're a bit behind the times here on Linux.
More information about the Hostap