On 2014-06-19 00:48, Michael Rodrigues wrote: > Hi, > > I've been searching around the list and the Internet trying to figure > out how a wireless client can verify the hostname of the SSL cert > provided by Radiator through the NAS as an SMTP or HTTP client would, > but I can't seem to find anything insightful. I'm not concerned with how > the client uses the SSL chain and its included CAs to verify the cert > cryptographically. > > For one, the client doesn't have Internet to make a reverse lookup until > they accept the cert. > > Second, even if they were allowed DNS before authentication, someone > controlling the network could easily catch and spoof the reverse lookup > reply to make their cert look legitimate (assuming it was > cryptographically legitimate). > > I'm doing some development/testing and I notice that iOS and Windows 8 > seem to see my certificate as valid but not "verified". I setup a PTR > record to match my host and cert name but it didn't seem to make any > difference. I monitored tcpdump while authenticating from OS X and I see > no PTR requests > > I realize each client can have a different implementation. Is it even > possible to legitimately verify a certificate hostname for clients using > PEAP and EAP? I'd like to be as secure as possible without resorting to > client-side certificates. Security is achieved by configuring a CA cert which you trust, from which the radius server cert is signed. In some clients (Windows >= Vista is one of them) you can additionally configure the subject of the certificate to trust. Lifetime is checked as well, revocation isn't for the clients I know. > > Thanks, > Michael >
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator