Changes
→Certificate Pinning: some minor updates
===Certificate Pinning===
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Cracking MS-CHAPv2]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating has deprecated a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will are no longer be an option.
Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
Validate that the downloaded certificate is in fact signed by the (Now Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain. You will first need to download ''all'' certificates in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.
It is worth noting that the new Virginia Tech CA is signed by the Global Sign R3 CA, and the Radius Server presents the name of "wireless.cns.vt.edu".
$ cat GlobalSignRootCA.pem GlobalSignRootSignPartnersCA.pem VirginiaTechGlobalRootCA.pem VirginiaTechGlobalServerCA.pem >> ca.pem
