Multiple subject_match fields?

Curtis Larsen curtlarsen at gmail.com
Sun Mar 28 14:43:31 EDT 2010


On Sun, Mar 28, 2010 at 9:51 AM, Jouni Malinen <j at w1.fi> wrote:
>
> On Sun, Mar 28, 2010 at 01:15:12AM -0600, Curtis Larsen wrote:
>
> > I have noticed that when I use the subject_match field in my config with two
> > servers like this...
>
> > ca_cert="/usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt"
> >         subject_match="/C=US/ST=SOMESTATE/L=Some City/O=Some
> > Organization/OU=IT/CN=server1.domain.com"
> >         subject_match="/C=US/ST=SOMESTATE/L=Some City/O=Some
> > Organization/OU=IT/CN=server2.domain.com"
>
> > If the AP that I am connected to starts authenticating against
> > server2.domain.com, then I fail authentication because of a cert/hostname
> > mismatch.  Is there a way to specify multiple "subject_match" fields instead
> > of just one?
>
> I would assume it is server1 that fails in this particular example since
> the second subject_match entry would override the first one.

Maybe, but the point is the AP's point to two different servers with
same CA, but different CN defined. So I need a config that allows
either CN in case one or the other fails.

>There is
> not currently any way of specifying multiple alternative match strings
> for this. I would have assumed that network that actually use multiple
> servers are much more likely to use their own CA certificate to make
> this type of matching unnecessary.

We started with our own CA and went to the Third party Entrust cert to
make client configuration simpler especially for some embedded
devices.  So yes I suppose now we are trying to make up for that by
validating hostnames of the servers.

> The current alternatives for this would be to either select a common
> substring that is present with both servers (which might be enough if
> you are just interested in matching with the organization name)

Yeah ...this is better but in a large organization there is still a
risk that someone within the organization could request the same CA
from Entrust with a different hostname/CN and could use it behind a
rogue AP.  unlikely ...I know.

>and
> using altsubject_match which can actually support multiple alternative
> entries (obviously assuming that the server certificates do use this).

Hmmm ...sounds hopeful.  Does altsubject_match require a DNS name?
Or, can it still just verify the CN on the cert?  The examples I have
seen of altsubject_match only show DNS.  I guess I am just trying to
match the Windows client config which just validates the Entrust cert
and verifies CA details including CN, but does not do anything with
DNS ...that I know of.

If I used alt_subject match, would this config correctly make it so
that my client would match either server1 or server2 if either one
died?

ca_cert="/usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt"
subject_match="/C=US/ST=SOMESTATE/L=Some
City/O=SomeOrganization/OU=IT/CN=server1.domain.com"
altsubject_match="/C=US/ST=SOMESTATE/L=Some
City/O=SomeOrganization/OU=IT/CN=server2.domain.com"

Let me know.

Thanks,

Curtis


More information about the HostAP mailing list