Wireless (WiFi) client configuration is a bit of a mess in Ubuntu 22.04. Basic PEAP information about the remote certificate is not communicated through the GUI, but can be found in syslog.
Useful wireless information can be found by running
journalctl -f -u NetworkManager -u wpa_supplicant
Details of the remote PEAP certificate will look like:
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' hash=4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1' hash=52274c57ce4dee3b49db7a7ff708c040f771898b3be88725a86fb4430182fe14
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/ST=Here/L=Town/O=Example Company/CN=wifi.example.com' hash=.....
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:wifi.example.com
wpa_supplicant: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:wireless.example.com
Relevant details:
- the name of the depth=2 certificate, " DigiCert Global Root CA" in the example. This is what you need to find when configuring wireless
- the CN on the certificate, "wifi.example.com" in this example. This should be entered as the domain to verify.
This wifi network may be configured as:
The Domain is the CN from syslog with depth=0.
The path to the CA certificate is where the well known CA certificate files live which is /usr/share/ca-certificates/mozilla/
What is frustrating is that the WiFi provider doesn't always publish the CA they have used, which means you have to look in syslog (as described above) to find the CA. If the WiFi provider changes the CA in the future then WiFi will break until you update it with new CA being used. The current configuration dialogue requires you to use CA pinning which is considered bad practice.
What I would like to see in the GUI configuration is the option to automatically accept any certificate with a CN matching the given domain which is signed by any well known CA - similar to how https currently works.
No comments:
Post a Comment