[PATCH v2] Add dbus signal for information about server certification
Michael Chang
mchang
Thu Jun 30 00:20:26 PDT 2011
2011/6/30 Dan Williams <dcbw at redhat.com>:
> 1) isn't the cert hash a hex string? ?should that also be a byte array?
> what is the "normal form" of the cert hash when it's used in other
> programs? ?Would most clients of wpa_supplicant have to convert the hash
> from a hex string to a binary one to use it internally, like eg pass the
> hash to OpenSSL if they were to use OpenSSL to parse the certificate
> data for some reason?
If my understanding correct, the intended usage of this probed
cert_hash is to pass in ca_cert config for "matching this
certification hash in connection". The connection would be allowed
only if the hash didn't change.
ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
IMHO above mechanism is especially useful that authentication server
uses "self signed" certification. Supplicant has no root ca to
validate it but it can choose to accept and store the hash in ca_cert
config. This provides a way to secure system from possible MIMA attack
in future.
It should be hex string better than byte array in above usage case, right?
> 2) you've already done the work, but I don't know if we care a lot about
> the old D-Bus interface; I'd just drop that part were I submitting the
> patch, but maybe people can use that functionality.
I am fine with dropping the old D-Bus interface. The reason I added it
is because SLED11's NetworkManager still uses old D-Bus interface. I
hope it be included is to facilitate future backport but it's not a
big deal. We can have a distro specific patch of course. :)
Thanks a lot for reviewing.
Regards,
Michael Chang
More information about the Hostap
mailing list