--cafile enabling system-trust nevertheless?
Martin Pauly
pauly at hrz.uni-marburg.de
Sun Sep 8 13:09:55 PDT 2024
Hi,
first, thank you for such a detailed discussion of how to achieve priviledge separation
and non-root operation!
Now for the OT part:
>>> (Really sorry to bother, we've turned to a "Once bitten, twice shy" mindset
>>> after we learned that leaving a CA setting blank has proved disastrous
>>> in the context of WiFi supplicants. With openconnect, we're obviously
>>> apart from that kind of problems by a long shot.)
On 07.09.24 07:14, Daniel Lenski wrote:
>> Ooh, interesting. Reading between the lines a bit here… "leaving a CA
>> setting blank" in WiFi enterprise authentication (802.1x) resulted in
>> "don't validate the RADIUS server's certificate at all." So your
>> clients then connected to forged/spoofed APs+RADIUS servers!?
Exactly. Especially Android devices used to do this in vast numbers (~30%),
as of 2020 (had been even worse since at least 2008). During a change of
root cert (preadating the one mentioned above) we were really troubled
about our eduroam users, so many devices to set up/renew. But it went so smoothly
that we got suspicious. We launched an investigation (including a real world attack)
which confirmed our apprehensions. During the course of this investigation,
the option "Do not validate" suddenly started to disappear from the Androids.
Turns out, others had also understood the issue to its full extent and put it on their list.
WPA3-R2 prohibits the presence of that option (thanks here to Stefan Winter).
Now I compare this to
Daniel Lenski:
>> You'll probably be reassured to know that openconnect (the CLI
>> application) has not had an option to disable certificate validation
>> altogether in many year 😅.
>> https://gitlab.com/openconnect/openconnect/commit/6c95e85f154f2ee24b8914ab6c0ffe555152ca7f
David Woodhouse:
> Right. I figured even providing that *option* to users was a bad idea.
> Saw one too many "helpful" pastebin/stackexchange/whatever snippets
> with the --no-cert-check option, threw my toys out of the pram a little
> bit and ripped it out 🙂
Looks like convergent evolution to me :-))
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20240908/07878f3a/attachment.p7s>
More information about the openconnect-devel
mailing list