Server name/certificate subject validation in EAPOL authentications (NetworkMana
We, at the hungarian eduroam community,
realized, that the lack of this capability in NetworkManager is a VERY SERIOUS
threat. In the Eduroam infrastructure it's quite possible that you home radius
server's certificate is signed by the same CA as one or some of the numerous
radius servers proxying your request, so any of these servers can easily (even
accidentally!) open your SSL encrypted TTLS or PEAP tunnel, for example.
The problem gets even worse if you don't specify exactly the CA, which signed
you certificate, but you trust every CA cert in /etc/ssl/certs (a very common
However, since your home radius server's certificate is transmitted as
cleartext in the beginning of the PEAP/TTLS communication, it can be easily
sniffed wireshark, and a relatively desperate attacker can purchase his own
certificate from you CA.
If this attacker deploys his own AP/router/radius server, he can easily read
your passwords (in case of TTLS/PAP authentication), or your NTLM password
hashes (in case of TTLS/MSCHAPv2 or PEAP/MSCHAPv2). And the sad thing is that
this MSCHAPv2 can cracked VERY EASILY by john ( http://www.openwall.com/john/
). According my experiences it can be cracked five times faster than old Unix
crypt password hashes :((( I managed to crack three out of four real-life
passords in an hour without advanced dicionaries of specific options. One
password (consisting of eight digits) was cracked by simple brute force within
an hour! (
Upstream here: https://bugzilla.gnome.org/show_bug.cgi?id=341323
Set user benefit
You can add different relations here, for example duplicate features, obs projects, urls...
To embedd an image you can simply upload it to paste.opensuse.org and add a relation to its raw url.
Set release notes
Last change: 6 years ago