cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: "Angel, Judy" <admyet4 AT herts.ac.uk>
- Cc: "cat-users AT geant.net" <cat-users AT geant.net>, Mailcon2 <e.4.test AT herts.ac.uk>
- Subject: Re: [cat-users] iphone problem
- Date: Mon, 17 Jun 2013 08:13:43 +0200
- List-archive: <https://mail.geant.net/mailman/private/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Judy,
> I have attached the config that is working on the iphone, hope this helps.
I see where the problem is... and it's not CAT related :-)
I've just run an in-depth diagnostics on your RADIUS server (you'll see
a few failed authentications from
"test AT herts.ac.uk"
in your logs).
Your server certificate is signed with the MD5 signature algorithm:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=Hertfordshire, L=Hatfield,
O=University of Hertfordshire,
CN=University of Hertfordshire Radius Service
Validity
Not Before: Apr 4 14:59:47 2011 GMT
Not After : Apr 3 14:59:47 2014 GMT
Subject: C=GB, ST=Hertfordshire, L=Hatfield,
O=University of Hertfordshire,
CN=radius.herts.ac.uk
iOS since version 6 refuses to accept such server certificates, no
matter whether the CA chain is in order or not. This is part of Apple's
crusade to get rid of known-broken signature algorithms.
Depending on who you ask, their crusade either a good thing or a bad
thing - but it is reality :-)
So, you should really not sign your server certificate with MD5. Other
OSes are going a similar way but with different subtleties (e.g. Windows
stopped to accept certificates with a key length of <1024 bits, no
matter the sig algorithm).
I'm a bit lost why your certs (also the server cert) still use MD5,
given they were created in 2011 when the demise of MD5 was a wide-open
secret already.
I'm using SHA-512 for my latest CA and certs, which seems to have very
wide-spread support among client devices. If you have legacy devices to
work with and are unsure if they can do SHA-512, then SHA-1 is your best
bet as a signature algorithm.
BTW, since we already had a couple of such cases, I'm planning on adding
detection for MD5 cert sig algorithm for 1.1 as well; that way, no human
intervention would be needed to uncover this situation. It's a bit of
code to write though...
As a second BTW: we've recently discovered that supporting Windows Phone
8 requires more from your server certificate: it needs to have the
extension "CRL Distribution Point" (CDP) set; otherwise the cert will
always fail to validate (the cleverness level of this new requirement is
arguable). Since many operating systems will actually check if there is
actually a CRL at the URL given in CDP, you should then also make sure
that the CRL exists at that spot. - Or you decide not to care about the
peculiarities of Windows Phone 8 and declare it unsupported for your
users :-)
Greetings,
Stefan Winter
Greetings,
Stefan Winter
>
> Judy
> -----Original Message-----
> From: Stefan Winter
> [mailto:stefan.winter AT restena.lu]
>
> Sent: 14 June 2013 15:07
> To: Mailcon2
> Cc:
> cat-users AT geant.net;
> Mailcon2
> Subject: Re: [cat-users] iphone problem
>
> Hi,
>
>> I have uploaded a Terena certificate, but not a chain.
>
> Further to this, I've now added code into trunk (i.e. a 1.1 version coming
> up later) which will visualise that it's a bad idea to upload a server cert
> at all, see attached screenshot.
>
> Maybe that's not the best solution... instead uploading a server cert could
> outright be rejected in the first place; I guess this needs to be thought
> through a bit more thoroughly.
>
> Stefan
>
> I will try that later.
>
>> I did notice that the code is identical for the different apple devices
>> but in my site the lion works and iphone ipad does not. The ipad download
>> web page looks like all the others but the iphone one looks very
>> different, which seems to suggest that there is a difference somewhere.
>> We have a profile that works on an iphone I will get hold of it and send
>> to the list.
>>
>> Thanks
>>
>> Judy
>>
>>
>> -----Original Message-----
>> From: Stefan Winter
>> [mailto:stefan.winter AT restena.lu]
>> Sent: 14 June 2013 12:47
>> To:
>> cat-users AT geant.net;
>> Mailcon2
>> Subject: Re: [cat-users] iphone problem
>>
>> Hi,
>>
>>> I have taken a look at the actual profile. It has an error. Instead
>>> of the certificate chain for the CAs it just contains the server
>>> certificate (TCS one). This is not correct.
>>>
>>> Please supply the whole TCS certificate chain as either one PEM file
>>> containing all, or several files with separate certificates and
>>> please try again then.
>>
>> You are right with that; but I don't think it is the root cause of the
>> problem. Judy mentioned in her first mail that she initially had a
>> self-signed cert; which is its own CA root certificate and is a complete
>> chain in itself.
>>
>>> With TTLS-PAP, the newest IOS does not ask the user to provide
>>> credentials at install time, only at first connection time. This is
>>> different from PEAP.
>>
>> I understood the problem to be that on this first connection, the
>> "unknown cert" warning comes up, and it is *not possible* to proceed
>> with the connection. (?)
>>
>> Still, if she was able to upload a *server* cert instead of a CA cert, and
>> wasn't told by the UI that this is wrong, then this is something we have
>> to tackle in CAT. That warning needs to make it to the admin's eye.
>>
>> Greetings,
>>
>> Stefan
>>
>>>
>>> Tomasz
>>>
>>>
>>>
>>> W dniu 14.06.2013 13:04, Stefan Winter pisze:
>>>> Hi,
>>>>
>>>>> We use PAP-TTLS as we authenticate against a unix password file.
>>>>> Unfortunately PEAP did not work.
>>>>> iPad and iPhone does not work and vast majority of students use have
>>>>> these devices.
>>>> Looking at the thread, I see that you reported OS X Lion+ to work
>>>> without problems.
>>>>
>>>> That's "funny" because the OS X Lion download and iOS download are
>>>> the identical file; they only have two different buttons on the
>>>> download interface because people are looking for device classes
>>>> usually, and a button with an abstract notion of "anythinig Apple"
>>>> looked less intuitive than mentioning the exact device class.
>>>>
>>>> So if the OS X Lion+ installer works, I'm reasonably confident that
>>>> the profile as generated by CAT is in good working order.
>>>>
>>>> Since Scott mentioned that their CloudPath installer has the same
>>>> issue, I'm really tempted to think that this is an iOS bug - in that
>>>> it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
>>>>
>>>> Since you can't move away from TTLS-PAP, I'm sort of lost in things
>>>> to suggest. There is one thing maybe: you could try to generate an
>>>> iOS profile "by hand"; i.e. download Apple's "iPhone Configuration
>>>> Utility", click together the settings as they apply to your IdP and
>>>> see if the resulting profile works better with the iOS devices.
>>>>
>>>> I'm guessing it won't, and then it's clearly an iOS bug. If it does
>>>> work better however, please send the profile over to me so I can
>>>> inspect it for differences to what CAT generates.
>>>>
>>>> Greetings,
>>>>
>>>> Stefan Winter
>>>>
>>>>>
>>>>> Regards
>>>>> Judy Angel
>>>>>
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>> On 13 Jun 2013, at 08:56 PM, Scott Armitage
>>>>> <S.P.Armitage AT lboro.ac.uk>
>>>>> wrote:
>>>>>
>>>>>> On 13 Jun 2013, at 15:46, "Angel, Judy"
>>>>>> <admyet4 AT herts.ac.uk>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>> I am new to this system and think it is great. Thank you very much
>>>>>>> for developing such a useful tool.
>>>>>>> I have tested the download for w7, XP ,lion , linux and all work
>>>>>>> fine. However the iphone app does not look as nice as the others and
>>>>>>> More to the point down not work for me. It goes through the install
>>>>>>> screen, I enter username and password but there is no connection.
>>>>>>> I originally had a self certified certificate. I have now
>>>>>>> installed the Janet Terena one which I can see as verified in the
>>>>>>> iphone>general>profile But when I select the SSID eduroam the
>>>>>>> certificate page with the gears is on the left, not verified in red
>>>>>>> in the middle of the screen, accept on the right hand side but it is
>>>>>>> not an active button, so can not be selected.
>>>>>>> Have you come across such a problem? Any suggestions please.
>>>>>>
>>>>>> I think the problem is TTLS. I noticed the same problem with our
>>>>>> cloudpath profiles if the authentication type was set to EAP-TTLS. I
>>>>>> therefore had to switch PEAP.
>>>>>> From memory this was discussed a while ago on another mailing list
>>>>>> (but I can't remember).
>>>>>>
>>>>>> Try a PEAP configuration and see if you have the same problem.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Scott Armitage
>>>>
>>>
>>
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
>> et de la Recherche 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: [cat-users] iphone problem, (continued)
- Re: [cat-users] iphone problem, Judy, 06/14/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Tomasz Wolniewicz, 06/14/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Tomasz Wolniewicz, 06/14/2013
- Re: [cat-users] iphone problem, Angel, Judy, 06/14/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Angel, Judy, 06/14/2013
- Re: [cat-users] iphone problem, Tomasz Wolniewicz, 06/14/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/17/2013
- Re: [cat-users] iphone problem, Tomasz Wolniewicz, 06/17/2013
- Re: [cat-users] iphone problem, Angel, Judy, 06/17/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/19/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Tomasz Wolniewicz, 06/14/2013
- Re: [cat-users] iphone problem, José Manuel Macías, 06/17/2013
- Re: [cat-users] iphone problem, Stefan Winter, 06/14/2013
- Re: [cat-users] iphone problem, Judy, 06/14/2013
Archive powered by MHonArc 2.6.19.