The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Stefan,
   there seem to be a number of inconsistencies in all this.
The CAT profile used to contain the TCS certificate for the server.
However, as you have properly spotted, the actual server uses a 
certificate from the local CA, which to makes things worse is MD5.

Therefore, the CAT profile cannot work since it has different settings 
then the actual server setup.
There are two ways to fix things. One is to put the TCS certificate on 
the RADIUS server and keep the current CAT profile (we do not recommend 
using TCS certificates since in order to have proper security a user 
device has to additionally check the server name and some devices just 
do not support that). The second solution is to reissue the certificate 
for your server from your local CA, this time with SHA
and then put your CA algorithm in the CAT profile.

Tomasz


W dniu 2013-06-17 08:13, Stefan Winter pisze:
> Judy,
>
> > I have attached the config that is working on the iphone, hope this helps.
> I see where the problem is... and it's not CAT related :-)
>
> I've just run an in-depth diagnostics on your RADIUS server (you'll see
> a few failed authentications from 
> "test AT herts.ac.uk"
>  in your logs).
>
> Your server certificate is signed with the MD5 signature algorithm:
>
> Certificate:
>      Data:
>          Version: 1 (0x0)
>          Serial Number: 1 (0x1)
>      Signature Algorithm: md5WithRSAEncryption
>          Issuer: C=GB, ST=Hertfordshire, L=Hatfield,
>                  O=University of Hertfordshire,
>                  CN=University of Hertfordshire Radius Service
>          Validity
>              Not Before: Apr  4 14:59:47 2011 GMT
>              Not After : Apr  3 14:59:47 2014 GMT
>          Subject: C=GB, ST=Hertfordshire, L=Hatfield,
>                   O=University of Hertfordshire,
>                   CN=radius.herts.ac.uk
>
> iOS since version 6 refuses to accept such server certificates, no
> matter whether the CA chain is in order or not. This is part of Apple's
> crusade to get rid of known-broken signature algorithms.
>
> Depending on who you ask, their crusade either a good thing or a bad
> thing - but it is reality :-)
>
> So, you should really not sign your server certificate with MD5. Other
> OSes are going a similar way but with different subtleties (e.g. Windows
> stopped to accept certificates with a key length of <1024 bits, no
> matter the sig algorithm).
>
> I'm a bit lost why your certs (also the server cert) still use MD5,
> given they were created in 2011 when the demise of MD5 was a wide-open
> secret already.
>
> I'm using SHA-512 for my latest CA and certs, which seems to have very
> wide-spread support among client devices. If you have legacy devices to
> work with and are unsure if they can do SHA-512, then SHA-1 is your best
> bet as a signature algorithm.
>
> BTW, since we already had a couple of such cases, I'm planning on adding
> detection for MD5 cert sig algorithm for 1.1 as well; that way, no human
> intervention would be needed to uncover this situation. It's a bit of
> code to write though...
>
> As a second BTW: we've recently discovered that supporting Windows Phone
> 8 requires more from your server certificate: it needs to have the
> extension "CRL Distribution Point" (CDP) set; otherwise the cert will
> always fail to validate (the cleverness level of this new requirement is
> arguable). Since many operating systems will actually check if there is
> actually a CRL at the URL given in CDP, you should then also make sure
> that the CRL exists at that spot. - Or you decide not to care about the
> peculiarities of Windows Phone 8 and declare it unsupported for your
> users :-)
>
> Greetings,
>
> Stefan Winter
>
>
> Greetings,
>
> Stefan Winter
>
> > Judy
> > -----Original Message-----
> > From: Stefan Winter 
> > [mailto:stefan.winter AT restena.lu]
> > Sent: 14 June 2013 15:07
> > To: Mailcon2
> > Cc: 
> > cat-users AT geant.net;
> >  Mailcon2
> > Subject: Re: [cat-users] iphone problem
> >
> > Hi,
> >
> > > I have uploaded a Terena certificate, but not a chain.
> > Further to this, I've now added code into trunk (i.e. a 1.1 version coming up 
> > later) which will visualise that it's a bad idea to upload a server cert at 
> > all, see attached screenshot.
> >
> > Maybe that's not the best solution... instead uploading a server cert could 
> > outright be rejected in the first place; I guess this needs to be thought 
> > through a bit more thoroughly.
> >
> > Stefan
> >
> >   I will try that later.
> >
> > > I did notice that the code is identical for the different apple devices but 
> > > in my site the lion works and iphone ipad does not. The ipad download web 
> > > page looks like all the others but the iphone one looks very different,  
> > > which seems to suggest that there is a difference somewhere.
> > > We have a profile that works on an iphone I will get hold of it and send to 
> > > the list.
> > >
> > > Thanks
> > >
> > > Judy
> > >
> > >
> > > -----Original Message-----
> > > From: Stefan Winter 
> > > [mailto:stefan.winter AT restena.lu]
> > > Sent: 14 June 2013 12:47
> > > To: 
> > > cat-users AT geant.net;
> > >  Mailcon2
> > > Subject: Re: [cat-users] iphone problem
> > >
> > > Hi,
> > >
> > > > I have taken a look at the actual profile. It has an error. Instead
> > > > of the certificate chain for the CAs it just contains the server
> > > > certificate (TCS one). This is not correct.
> > > >
> > > > Please supply the whole TCS certificate chain as either one PEM file
> > > > containing all, or several files with separate certificates and
> > > > please try again then.
> > > You are right with that; but I don't think it is the root cause of the 
> > > problem. Judy mentioned in her first mail that she initially had a 
> > > self-signed cert; which is its own CA root certificate and is a complete 
> > > chain in itself.
> > >
> > > > With TTLS-PAP, the newest IOS does not ask the user to provide
> > > > credentials at install time, only at first connection time. This is
> > > > different from PEAP.
> > > I understood the problem to be that on this first connection, the
> > > "unknown cert" warning comes up, and it is *not possible* to proceed
> > > with the connection. (?)
> > >
> > > Still, if she was able to upload a *server* cert instead of a CA cert, and 
> > > wasn't told by the UI that this is wrong, then this is something we have to 
> > > tackle in CAT. That warning needs to make it to the admin's eye.
> > >
> > > Greetings,
> > >
> > > Stefan
> > >
> > > > Tomasz
> > > >
> > > >
> > > >
> > > > W dniu 14.06.2013 13:04, Stefan Winter pisze:
> > > > > Hi,
> > > > >
> > > > > > We use PAP-TTLS as we authenticate against a unix password file. 
> > > > > > Unfortunately PEAP did not work.
> > > > > > iPad and iPhone does not work and vast majority of students use have these 
> > > > > > devices.
> > > > > Looking at the thread, I see that you reported OS X Lion+ to work
> > > > > without problems.
> > > > >
> > > > > That's "funny" because the OS X Lion download and iOS download are
> > > > > the identical file; they only have two different buttons on the
> > > > > download interface because people are looking for device classes
> > > > > usually, and a button with an abstract notion of "anythinig Apple"
> > > > > looked less intuitive than mentioning the exact device class.
> > > > >
> > > > > So if the OS X Lion+ installer works, I'm reasonably confident that
> > > > > the profile as generated by CAT is in good working order.
> > > > >
> > > > > Since Scott mentioned that their CloudPath installer has the same
> > > > > issue, I'm really tempted to think that this is an iOS bug - in that
> > > > > it can't do TTLS-PAP properly - much more than an eduroam CAT problem.
> > > > >
> > > > > Since you can't move away from TTLS-PAP, I'm sort of lost in things
> > > > > to suggest. There is one thing maybe: you could try to generate an
> > > > > iOS profile "by hand"; i.e. download Apple's "iPhone Configuration
> > > > > Utility", click together the settings as they apply to your IdP and
> > > > > see if the resulting profile works better with the iOS devices.
> > > > >
> > > > > I'm guessing it won't, and then it's clearly an iOS bug. If it does
> > > > > work better however, please send the profile over to me so I can
> > > > > inspect it for differences to what CAT generates.
> > > > >
> > > > > Greetings,
> > > > >
> > > > > Stefan Winter
> > > > >
> > > > > > Regards
> > > > > > Judy Angel
> > > > > >   
> > > > > >
> > > > > > Sent from my iPad
> > > > > >
> > > > > > On 13 Jun 2013, at 08:56 PM, Scott Armitage 
> > > > > > <S.P.Armitage AT lboro.ac.uk>
> > > > > >  wrote:
> > > > > >
> > > > > > > On 13 Jun 2013, at 15:46, "Angel, Judy" 
> > > > > > > <admyet4 AT herts.ac.uk>
> > > > > > >  wrote:
> > > > > > >
> > > > > > > > Hi
> > > > > > > > I am new to this system and think it is great. Thank you very much for 
> > > > > > > > developing such a useful tool.
> > > > > > > > I have tested the download for w7, XP ,lion , linux and all work
> > > > > > > > fine. However the iphone app does not look as nice as the others and More to 
> > > > > > > > the point down not work for me. It goes through the install screen, I enter 
> > > > > > > > username and password but there is no connection.
> > > > > > > > I originally had a self certified certificate. I have now
> > > > > > > > installed the Janet Terena one which I can see as verified in the 
> > > > > > > > iphone>general>profile But when I select the SSID eduroam the certificate 
> > > > > > > > page with the gears is on the left, not verified in red in the middle of the 
> > > > > > > > screen, accept on the right hand side but it is not an active button, so can not be 
> > > > > > > > selected.
> > > > > > > > Have you come across such a problem? Any suggestions please.
> > > > > > > I think the problem is TTLS.  I noticed the same problem with our cloudpath 
> > > > > > > profiles if the authentication type was set to EAP-TTLS.  I therefore had to 
> > > > > > > switch PEAP.
> > > > > > >  From memory this was discussed a while ago on another mailing list (but I 
> > > > > > > can't remember).
> > > > > > >
> > > > > > > Try a PEAP configuration and see if you have the same problem.
> > > > > > >
> > > > > > > Regards
> > > > > > >
> > > > > > > Scott Armitage
> > >
> > > --
> > > Stefan WINTER
> > > Ingenieur de Recherche
> > > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
> > > et de la Recherche 6, rue Richard Coudenhove-Kalergi
> > > L-1359 Luxembourg
> > >
> > > Tel: +352 424409 1
> > > Fax: +352 422473
> >
> > --
> > Stefan WINTER
> > Ingenieur de Recherche
> > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
> > Recherche 6, rue Richard Coudenhove-Kalergi
> > L-1359 Luxembourg
> >
> > Tel: +352 424409 1
> > Fax: +352 422473

--
Tomasz Wolniewicz
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576