Skip to content
This repository has been archived by the owner on Jan 10, 2024. It is now read-only.

eduroam setup should add radius server subject match #440

Closed
xsrf opened this issue Jan 18, 2017 · 3 comments
Closed

eduroam setup should add radius server subject match #440

xsrf opened this issue Jan 18, 2017 · 3 comments
Assignees
@pfent
Labels
Bug 🐛 High Priority 🚒
Projects
TCA Development 1.5
Milestone
1.4.1+

Comments

@xsrf
Copy link

xsrf commented Jan 18, 2017

Steps to Reproduce

  1. delete "eduroam" profile on your phone
  2. open TCA
  3. configure "eduroam" using the TCA eduroam assistant

Expected Result

"eduroam" should be configured in a secure way according to the eduroam / lrz guides including checks for valid CA certificate and radius server certificate subject match

Actual Result

"eduroam" is not configured in an entirely secure way, no radius server certificate subject match is applied

Problem

Phone will connect to any malicious "eduroam" accespoint that issues a certificate signed by Deutsche Telekom Root CA 2 (which is actually not hard to obtain legally) and may expose user credentials

Suggested Enhancement ✨

Add radius server certificate subject match (you may check eduroamCAT App for details)

Environment

  • Phone: Any
  • OS: Android 4.x+
  • TCA Version: 1.4.7
@pfent
Copy link
Contributor

pfent commented Jan 18, 2017

Thanks for bringing this to our attention.
We definetly already set the CA certificate, however I am currently not aware of a "radius server certificate subject match". Do you have a link to the "eduroam / lrz guides" you mentioned regarding this subject match?

The CAT-Android app is also rather a train wreck considering UI and code quality. I couldn't get it to configure eduroam for me… (What does a free-text field in "manual search" mean? Nothing I entered gives me results? 😦)

Looking at the relevant code in the app, it seems to set the SubjectMatch to the ServerID of the config file.

Without knowing the definitive LRZ guidelines, I'd add a call (for API 18 ~ 22)

conf.enterpriseConfig.setSubjectMatch("radius.lrz.de");

Respectively, according to the detailed wpa_supplicant instructions, a call to (API >= 23)

conf.enterpriseConfig.setDomainSuffixMatch("radius.lrz.de");

Would this satisfy your concerns? Did I miss something? Is there some way to get notified about LRZ WLAN guideline changes, if there are any?

@pfent pfent self-assigned this Jan 18, 2017
@pfent pfent added this to the 1.4.1+ milestone Jan 18, 2017
@kordianbruck
Copy link
Member

kordianbruck commented Jan 18, 2017
edited

I've already done some work on this branch: https://github.com/TCA-Team/TumCampusApp/tree/fix/wifi

That is not deployed yet tho.

pfent added a commit that referenced this issue Jan 18, 2017
@pfent
refactor configureEduroam() to keep the functions small && fix #440
b2b2f0c
@xsrf
Copy link
Author

xsrf commented Jan 18, 2017

Yep, the app is pretty bad... Took me a while to figure out that you have to actually search for "DFN" if you want to get a step further ... which is getting redirected to a crappy website ;)

The LRZ guides aren't the best either, but I hope they'll get reworked before next semester. There is no good way of getting notifications about changes on the lrz websites (afaik). The security flaw mentioned is also not new, it is known for many years now...

The check against "radius.lrz.de" is what I meant. Looks good to me ;)

@kordianbruck kordianbruck mentioned this issue Jan 27, 2017
Merged
@kordianbruck kordianbruck added this to Finished 1.4.8 in TCA Development 1.5 Jun 11, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pfent pfent

Labels
Bug 🐛 High Priority 🚒
Projects
No open projects
TCA Development 1.5
  
Finished 1.4.8
Milestone
1.4.1+
Development

No branches or pull requests
3 participants
@kordianbruck @pfent @xsrf