Bug 514986

Summary: Wifi with tunnelled EAP: not specifying CA leaves users vulnerable to MITM
Product: [Applications] systemsettings Reporter: kde-cs
Component: kcm_networkmanagementAssignee: Plasma Bugs List <plasma-bugs-null>
Status: REPORTED ---    
Severity: normal CC: jgrulich
Priority: NOR    
Version First Reported In: 6.5.5   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description kde-cs 2026-01-23 18:36:34 UTC 
SUMMARY

When configuring a wifi connection with WPA/WPA2 Enterprise security using a tunnelled EAP method (TTLS or PEAP), not selecting a CA file disables certificate checking of RADIUS server certificates. This leaves users vulnerable to MITM attacks which expose tunnelled credentials.

STEPS TO REPRODUCE
1. Configure a wifi connection.
2. Select WPA/WPA2 Enterprise.
3. Select PEAP or TTLS (configure all necessary login and second phase data).
4. Leave CA certificate empty.
5. Connect to a WPA/WPA2 enterprise wifi with an EAP method configured that matches the one configured above and use a self-signed certificate for the RADIUS server.

OBSERVED RESULT

Any self-signed RADIUS server certificate is accepted.

EXPECTED RESULT

A RADIUS server certificate signed by an unknown CA should be rejected.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma:
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0 
Qt Version: 6.10.1

ADDITIONAL INFORMATION

The network manager documentation (https://networkmanager.dev/docs/api/1.46/settings-802-1x.html
) says:

"ca-cert: […] This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. […]"

It also says:

"system-ca-certs: When TRUE, overrides the "ca-path" and "phase2-ca-path" properties using the system CA directory specified at configure time with the --system-ca-path switch. [...]"

A possible workaround would be to set "system-ca-certs" to "TRUE" if "ca-cert" is unset in the network settings. This would let a connection to a RADIUS server fail if it's signed by an unknown CA.