Use domain_suffix_match instead of subject_match or at least check complete DN instead of CN

[petejoybaker]

For example instead of checking the common name only like

• CN: radius.rz.uni-konstanz.de

you should check for the complete distinguished name

• DN: /C=DE/ST=Baden-Wuerttemberg/L=Konstanz/O=Universitaet Konstanz/CN=radius.rz.uni-konstanz.de

because otherwise you could set up a fake RADIUS server with something like "radius.rz.uni-konstanz.de" which will work, too.

• https://bugzilla.gnome.org/show_bug.cgi?id=341323

While that is better, the best option would be to check the domain_match (starting with wpa_supplicant v2.4) or the domain_suffix_match attribute (starting with wpa_supplicant v2.1):

• https://developer.android.com/reference/android/net/wifi/WifiEnterpriseConfig.html

For the "suffix" version

• domain_suffix_match = rz.uni-konstanz.de

allows "radius.rz.uni-konstanz.de" or "evil.rz.uni-konstanz" but not "radius.uni-konstanz.de" or "evil.uni-konstanz.de" and it forbids things like "radius.rz.uni-konstanz.evil.com".

[xamor]

domain_suffix_match is available since android version 6 (API 23). It is already possible to use the complete DN you only have to enter it in the CN field. The user has to fill it in complete. I moved the domian_suffix_match option to Version 1.1 because the priority for this option is at the moment low, until Android version 6 is released.

[petejoybaker]

Perfect. Good job :)