Getting NetworkManager to probably verify TLS certificates for 802.1x networks
I'll start with my tweets:
We have an 802.1.X WPA2 Enterprise university-wide wireless network, using PEAPv0 authentication, which involves a TLS certificate. I do not appear to be able to get NetworkManager to verify the TLS certificate in a way that will let me actually connect.
The only way I can connect to our university wifi is by setting 'No CA certificate is required'. I cannot supply a CA certificate that works (I've tried), and I cannot turn on 802-1x.system-ca-certs ; nmcli just doesn't save it, no matter what, without any reported error.
With the aid of some replies from @grawity, I was able to navigate to a solution that allows me to connect without that 'No CA certificate is required' having to be set, and probably even verifies the TLS certificate.
The magic trick for me was telling NetworkManager that it should
use the system bundle of TLS certificate as the 'CA certificate'
it wants. The one important trick is that NetworkManager wants the
PEM format certificate bundle (and/or
certificate), not the DER form.
How you tell them apart is that the PEM form is base64 ASCII while
the DER form is binary. Anything with a
.pem extension had better
be a PEM file, but a
.crt extension can be either.
On Fedora 29, the system certificate bundle is found as either /etc/ssl/certs/ca-bundle.crt or /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem; the former is a symlink to the latter. On Ubuntu and Debian, you want /etc/ssl/certs/ca-certificates.crt. I don't know if there are any special SELinux considerations that apply depending on the path you select, because I turned that off long ago on my laptop.
I don't know if this setup makes NetworkManager actually verify the TLS certificates (or perhaps wpa_supplicant, which is apparently the thing that really does the work even when NetworkManager is being the frontend). But at least I'm not telling NetworkManager to maybe ignore TLS security entirely.
(When I was looking at logs through journalctl, they were sufficiently ambiguous to me that I couldn't be sure.)
Sidebar: A further puzzle
At this point I don't have my laptop and its logs of TLS certificate
information handy, but the more I look at our university page for
campus wireless and the certificates it lists, the more puzzled I get.
My attempts to verify the TLS certificate started with the TLS
certificate listed there and proceeded through what '
dump' told me were the CA
certificates for that TLS certificate. However, now that I look
more carefully, the page also has a CA bundle that is supposed to
be current, but that CA bundle has a rather different set of CA
certificates. It's possible that had I gotten and used that CA
bundle, the actual 802.1x TLS certificate I was presented with would
(It's apparently possible to capture the 802.1x server TLS certificate, but it may not be easy. And you have to be on the wireless network in question, which I'm not as I write this entry.)