Multiple subject_match fields?

Jouni Malinen j at w1.fi
Sun Mar 28 11:51:22 EDT 2010


On Sun, Mar 28, 2010 at 01:15:12AM -0600, Curtis Larsen wrote:

> I have noticed that when I use the subject_match field in my config with two
> servers like this...

> ca_cert="/usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt"
>         subject_match="/C=US/ST=SOMESTATE/L=Some City/O=Some
> Organization/OU=IT/CN=server1.domain.com"
>         subject_match="/C=US/ST=SOMESTATE/L=Some City/O=Some
> Organization/OU=IT/CN=server2.domain.com"

> If the AP that I am connected to starts authenticating against
> server2.domain.com, then I fail authentication because of a cert/hostname
> mismatch.  Is there a way to specify multiple "subject_match" fields instead
> of just one?

I would assume it is server1 that fails in this particular example since
the second subject_match entry would override the first one. There is
not currently any way of specifying multiple alternative match strings
for this. I would have assumed that network that actually use multiple
servers are much more likely to use their own CA certificate to make
this type of matching unnecessary.

The current alternatives for this would be to either select a common
substring that is present with both servers (which might be enough if
you are just interested in matching with the organization name) and
using altsubject_match which can actually support multiple alternative
entries (obviously assuming that the server certificates do use this).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list