Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] iphone problem

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] iphone problem


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>, Mailcon2 <e.4.test AT herts.ac.uk>, "Angel, Judy" <admyet4 AT herts.ac.uk>
  • Subject: Re: [cat-users] iphone problem
  • Date: Mon, 17 Jun 2013 09:12:26 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hi Stefan,
there seem to be a number of inconsistencies in all this.
The CAT profile used to contain the TCS certificate for the server.
However, as you have properly spotted, the actual server uses a certificate from the local CA, which to makes things worse is MD5.

Therefore, the CAT profile cannot work since it has different settings then the actual server setup.
There are two ways to fix things. One is to put the TCS certificate on the RADIUS server and keep the current CAT profile (we do not recommend using TCS certificates since in order to have proper security a user device has to additionally check the server name and some devices just do not support that). The second solution is to reissue the certificate for your server from your local CA, this time with SHA
and then put your CA algorithm in the CAT profile.

Tomasz


W dniu 2013-06-17 08:13, Stefan Winter pisze:
Judy,

I have attached the config that is working on the iphone, hope this helps.
I see where the problem is... and it's not CAT related :-)

I've just run an in-depth diagnostics on your RADIUS server (you'll see
a few failed authentications from
"test AT herts.ac.uk"
in your logs).

Your server certificate is signed with the MD5 signature algorithm:

Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=GB, ST=Hertfordshire, L=Hatfield,
O=University of Hertfordshire,
CN=University of Hertfordshire Radius Service
Validity
Not Before: Apr 4 14:59:47 2011 GMT
Not After : Apr 3 14:59:47 2014 GMT
Subject: C=GB, ST=Hertfordshire, L=Hatfield,
O=University of Hertfordshire,
CN=radius.herts.ac.uk

iOS since version 6 refuses to accept such server certificates, no
matter whether the CA chain is in order or not. This is part of Apple's
crusade to get rid of known-broken signature algorithms.

Depending on who you ask, their crusade either a good thing or a bad
thing - but it is reality :-)

So, you should really not sign your server certificate with MD5. Other
OSes are going a similar way but with different subtleties (e.g. Windows
stopped to accept certificates with a key length of <1024 bits, no
matter the sig algorithm).

I'm a bit lost why your certs (also the server cert) still use MD5,
given they were created in 2011 when the demise of MD5 was a wide-open
secret already.

I'm using SHA-512 for my latest CA and certs, which seems to have very
wide-spread support among client devices. If you have legacy devices to
work with and are unsure if they can do SHA-512, then SHA-1 is your best
bet as a signature algorithm.

BTW, since we already had a couple of such cases, I'm planning on adding
detection for MD5 cert sig algorithm for 1.1 as well; that way, no human
intervention would be needed to uncover this situation. It's a bit of
code to write though...

As a second BTW: we've recently discovered that supporting Windows Phone
8 requires more from your server certificate: it needs to have the
extension "CRL Distribution Point" (CDP) set; otherwise the cert will
always fail to validate (the cleverness level of this new requirement is
arguable). Since many operating systems will actually check if there is
actually a CRL at the URL given in CDP, you should then also make sure
that the CRL exists at that spot. - Or you decide not to care about the
peculiarities of Windows Phone 8 and declare it unsupported for your
users :-)

Greetings,

Stefan Winter


Greetings,

Stefan Winter

Judy
-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]
Sent: 14 June 2013 15:07
To: Mailcon2
Cc:
cat-users AT geant.net;
Mailcon2
Subject: Re: [cat-users] iphone problem

Hi,

I have uploaded a Terena certificate, but not a chain.
Further to this, I've now added code into trunk (i.e. a 1.1 version coming up
later) which will visualise that it's a bad idea to upload a server cert at
all, see attached screenshot.

Maybe that's not the best solution... instead uploading a server cert could
outright be rejected in the first place; I guess this needs to be thought
through a bit more thoroughly.

Stefan

I will try that later.

I did notice that the code is identical for the different apple devices but
in my site the lion works and iphone ipad does not. The ipad download web
page looks like all the others but the iphone one looks very different,
which seems to suggest that there is a difference somewhere.
We have a profile that works on an iphone I will get hold of it and send to
the list.

Thanks

Judy


-----Original Message-----
From: Stefan Winter
[mailto:stefan.winter AT restena.lu]
Sent: 14 June 2013 12:47
To:
cat-users AT geant.net;
Mailcon2
Subject: Re: [cat-users] iphone problem

Hi,

I have taken a look at the actual profile. It has an error. Instead
of the certificate chain for the CAs it just contains the server
certificate (TCS one). This is not correct.

Please supply the whole TCS certificate chain as either one PEM file
containing all, or several files with separate certificates and
please try again then.
You are right with that; but I don't think it is the root cause of the
problem. Judy mentioned in her first mail that she initially had a
self-signed cert; which is its own CA root certificate and is a complete
chain in itself.

With TTLS-PAP, the newest IOS does not ask the user to provide
credentials at install time, only at first connection time. This is
different from PEAP.
I understood the problem to be that on this first connection, the
"unknown cert" warning comes up, and it is *not possible* to proceed
with the connection. (?)

Still, if she was able to upload a *server* cert instead of a CA cert, and
wasn't told by the UI that this is wrong, then this is something we have to
tackle in CAT. That warning needs to make it to the admin's eye.

Greetings,

Stefan

Tomasz



W dniu 14.06.2013 13:04, Stefan Winter pisze:
Hi,

We use PAP-TTLS as we authenticate against a unix password file.
Unfortunately PEAP did not work.
iPad and iPhone does not work and vast majority of students use have these
devices.
Looking at the thread, I see that you reported OS X Lion+ to work
without problems.

That's "funny" because the OS X Lion download and iOS download are
the identical file; they only have two different buttons on the
download interface because people are looking for device classes
usually, and a button with an abstract notion of "anythinig Apple"
looked less intuitive than mentioning the exact device class.

So if the OS X Lion+ installer works, I'm reasonably confident that
the profile as generated by CAT is in good working order.

Since Scott mentioned that their CloudPath installer has the same
issue, I'm really tempted to think that this is an iOS bug - in that
it can't do TTLS-PAP properly - much more than an eduroam CAT problem.

Since you can't move away from TTLS-PAP, I'm sort of lost in things
to suggest. There is one thing maybe: you could try to generate an
iOS profile "by hand"; i.e. download Apple's "iPhone Configuration
Utility", click together the settings as they apply to your IdP and
see if the resulting profile works better with the iOS devices.

I'm guessing it won't, and then it's clearly an iOS bug. If it does
work better however, please send the profile over to me so I can
inspect it for differences to what CAT generates.

Greetings,

Stefan Winter

Regards
Judy Angel

Sent from my iPad

On 13 Jun 2013, at 08:56 PM, Scott Armitage
<S.P.Armitage AT lboro.ac.uk>
wrote:

On 13 Jun 2013, at 15:46, "Angel, Judy"
<admyet4 AT herts.ac.uk>
wrote:

Hi
I am new to this system and think it is great. Thank you very much for
developing such a useful tool.
I have tested the download for w7, XP ,lion , linux and all work
fine. However the iphone app does not look as nice as the others and More to
the point down not work for me. It goes through the install screen, I enter
username and password but there is no connection.
I originally had a self certified certificate. I have now
installed the Janet Terena one which I can see as verified in the
iphone>general>profile But when I select the SSID eduroam the certificate
page with the gears is on the left, not verified in red in the middle of the
screen, accept on the right hand side but it is not an active button, so can not be
selected.
Have you come across such a problem? Any suggestions please.
I think the problem is TTLS. I noticed the same problem with our cloudpath
profiles if the authentication type was set to EAP-TTLS. I therefore had to
switch PEAP.
From memory this was discussed a while ago on another mailing list (but I
can't remember).

Try a PEAP configuration and see if you have the same problem.

Regards

Scott Armitage

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale
et de la Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



--
Tomasz Wolniewicz

twoln AT umk.pl
http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page