The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Judy,

> I have attached the config that is working on the iphone, hope this helps.

I see where the problem is... and it's not CAT related :-)

I've just run an in-depth diagnostics on your RADIUS server (you'll see
a few failed authentications from 
"test AT herts.ac.uk"
 in your logs).

Your server certificate is signed with the MD5 signature algorithm:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Hertfordshire, L=Hatfield,
                O=University of Hertfordshire,
                CN=University of Hertfordshire Radius Service
        Validity
            Not Before: Apr  4 14:59:47 2011 GMT
            Not After : Apr  3 14:59:47 2014 GMT
        Subject: C=GB, ST=Hertfordshire, L=Hatfield,
                 O=University of Hertfordshire,
                 CN=radius.herts.ac.uk

iOS since version 6 refuses to accept such server certificates, no
matter whether the CA chain is in order or not. This is part of Apple's
crusade to get rid of known-broken signature algorithms.

Depending on who you ask, their crusade either a good thing or a bad
thing - but it is reality :-)

So, you should really not sign your server certificate with MD5. Other
OSes are going a similar way but with different subtleties (e.g. Windows
stopped to accept certificates with a key length of <1024 bits, no
matter the sig algorithm).

I'm a bit lost why your certs (also the server cert) still use MD5,
given they were created in 2011 when the demise of MD5 was a wide-open
secret already.

I'm using SHA-512 for my latest CA and certs, which seems to have very
wide-spread support among client devices. If you have legacy devices to
work with and are unsure if they can do SHA-512, then SHA-1 is your best
bet as a signature algorithm.

BTW, since we already had a couple of such cases, I'm planning on adding
detection for MD5 cert sig algorithm for 1.1 as well; that way, no human
intervention would be needed to uncover this situation. It's a bit of
code to write though...

As a second BTW: we've recently discovered that supporting Windows Phone
8 requires more from your server certificate: it needs to have the
extension "CRL Distribution Point" (CDP) set; otherwise the cert will
always fail to validate (the cleverness level of this new requirement is
arguable). Since many operating systems will actually check if there is
actually a CRL at the URL given in CDP, you should then also make sure
that the CRL exists at that spot. - Or you decide not to care about the
peculiarities of Windows Phone 8 and declare it unsupported for your
users :-)

Greetings,

Stefan Winter


Greetings,

Stefan Winter

> 
> Judy
> -----Original Message-----
> From: Stefan Winter 
> [mailto:stefan.winter AT restena.lu]
>  
> Sent: 14 June 2013 15:07
> To: Mailcon2
> Cc: 
> cat-users AT geant.net;
>  Mailcon2
> Subject: Re: [cat-users] iphone problem
> 
> Hi,
> 
>> I have uploaded a Terena certificate, but not a chain.
> 
> Further to this, I've now added code into trunk (i.e. a 1.1 version coming 
> up later) which will visualise that it's a bad idea to upload a server cert 
> at all, see attached screenshot.
> 
> Maybe that's not the best solution... instead uploading a server cert could 
> outright be rejected in the first place; I guess this needs to be thought 
> through a bit more thoroughly.
> 
> Stefan
> 
>  I will try that later.
> 
>> I did notice that the code is identical for the different apple devices 
>> but in my site the lion works and iphone ipad does not. The ipad download 
>> web page looks like all the others but the iphone one looks very 
>> different,  which seems to suggest that there is a difference somewhere.
>> We have a profile that works on an iphone I will get hold of it and send 
>> to the list.
>>
>> Thanks
>>
>> Judy
>>
>>
>> -----Original Message-----
>> From: Stefan Winter 
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 14 June 2013 12:47
>> To: 
>> cat-users AT geant.net;
>>  Mailcon2
>> Subject: Re: [cat-users] iphone problem
>>
>> Hi,
>>
>>> I have taken a look at the actual profile. It has an error. Instead 
>>> of the certificate chain for the CAs it just contains the server 
>>> certificate (TCS one). This is not correct.
>>>
>>> Please supply the whole TCS certificate chain as either one PEM file 
>>> containing all, or several files with separate certificates and 
>>> please try again then.
>>
>> You are right with that; but I don't think it is the root cause of the 
>> problem. Judy mentioned in her first mail that she initially had a 
>> self-signed cert; which is its own CA root certificate and is a complete 
>> chain in itself.
>>
>>> With TTLS-PAP, the newest IOS does not ask the user to provide 
>>> credentials at install time, only at first connection time. This is 
>>> different from PEAP.
>>
>> I understood the problem to be that on this first connection, the 
>> "unknown cert" warning comes up, and it is *not possible* to proceed 
>> with the connection. (?)
>>
>> Still, if she was able to upload a *server* cert instead of a CA cert, and 
>> wasn't told by the UI that this is wrong, then this is something we have 
>> to tackle in CAT. That warning needs to make it to the admin's eye.
>>
>> Greetings,
>>
>> Stefan
>>
>>>
>>> Tomasz
>>>
>>>
>>>
>>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>>> Hi,
>>>>
>>>>> We use PAP-TTLS as we authenticate against a unix password file. 
>>>>> Unfortunately PEAP did not work. 
>>>>> iPad and iPhone does not work and vast majority of students use have 
>>>>> these devices. 
>>>> Looking at the thread, I see that you reported OS X Lion+ to work 
>>>> without problems.
>>>>
>>>> That's "funny" because the OS X Lion download and iOS download are 
>>>> the identical file; they only have two different buttons on the 
>>>> download interface because people are looking for device classes 
>>>> usually, and a button with an abstract notion of "anythinig Apple"
>>>> looked less intuitive than mentioning the exact device class.
>>>>
>>>> So if the OS X Lion+ installer works, I'm reasonably confident that 
>>>> the profile as generated by CAT is in good working order.
>>>>
>>>> Since Scott mentioned that their CloudPath installer has the same 
>>>> issue, I'm really tempted to think that this is an iOS bug - in that 
>>>> it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>>
>>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things 
>>>> to suggest. There is one thing maybe: you could try to generate an 
>>>> iOS profile "by hand"; i.e. download Apple's "iPhone Configuration 
>>>> Utility", click together the settings as they apply to your IdP and 
>>>> see if the resulting profile works better with the iOS devices.
>>>>
>>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does 
>>>> work better however, please send the profile over to me so I can 
>>>> inspect it for differences to what CAT generates.
>>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>>
>>>>>
>>>>> Regards
>>>>> Judy Angel
>>>>>  
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage 
>>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>>  wrote:
>>>>>
>>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy" 
>>>>>> <admyet4 AT herts.ac.uk>
>>>>>>  wrote:
>>>>>>
>>>>>>> Hi
>>>>>>> I am new to this system and think it is great. Thank you very much 
>>>>>>> for developing such a useful tool.
>>>>>>> I have tested the download for w7, XP ,lion , linux and all work 
>>>>>>> fine. However the iphone app does not look as nice as the others and 
>>>>>>> More to the point down not work for me. It goes through the install 
>>>>>>> screen, I enter username and password but there is no connection.
>>>>>>> I originally had a self certified certificate. I have now 
>>>>>>> installed the Janet Terena one which I can see as verified in the 
>>>>>>> iphone>general>profile But when I select the SSID eduroam the 
>>>>>>> certificate page with the gears is on the left, not verified in red 
>>>>>>> in the middle of the screen, accept on the right hand side but it is 
>>>>>>> not an active button, so can not be selected.
>>>>>>> Have you come across such a problem? Any suggestions please.
>>>>>>
>>>>>> I think the problem is TTLS.  I noticed the same problem with our 
>>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS.  I 
>>>>>> therefore had to switch PEAP.
>>>>>> From memory this was discussed a while ago on another mailing list 
>>>>>> (but I can't remember).
>>>>>>
>>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Scott Armitage
>>>>
>>>
>>
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
> la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

Attachment: signature.asc
Description: OpenPGP digital signature