The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> Ther is also one other thing that I find strange.
> When I have connected to your server with wpa_supplicant and downloaded
> the entire certificate load, I found the root certificate plus 3 other
> certificates instead of an expected one.
> Not sure what is causing this or what this can result in, but it is
> unusual.

I find that on my box, eapol_test will always dump received certificates
/twice/ in its -o output. So I got four certs, twice the root, twice the
server cert.

I don't think that's a real issue on the wire though. At one point when
I wondered about this, I looked at the actual network traffic and it
showed that the certs are only sent once each.

I've built in a filter in CAT trunk code to ignore multiple identical
occurences in the eapol_test result file.

IOW: a small bug in a third-party tool with no serious consequences.

Greetings,

Stefan

> Tomasz
> 
> 
> W dniu 2013-10-07 16:21, Stefan Winter pisze:
>> Hi,
>>
>>>     I'm attaching my installation process via screenshots.  Hopefully
>>> all
>>> of them will get sent.
>>>
>>>     Looking at this PDF, it seems like something is missing during the
>>> installation process.
>>>
>>> http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf
>> the difference in these two is that the PDF shows a UI request to enter
>> username and password. In iOS 6, it's a known quirk in iOS that it will
>> only request these for PEAP during installation time, for TTLS it will
>> instead ask during the first connection attempt. This is different yet
>> again in iOS 7; that one will always ask during installation time.
>>
>> However, that's not a primary reason for failure, it's just a UI
>> inconsistency.
>>
>> I have looked at your server certificate. eduroam CAT 1.1 will warn you
>> about this during the reachability check, but for now here's the manual
>> warning :-)
>>
>> Your server certificate does not explicitly set
>> "X.509 Basic Constraints: CA = FALSE"
>> in the server certificate. That's very bad behaviour for an end-entity
>> certificate, and is known to break certificate validation at least in
>> Mac OS X 10.8.
>>
>> With iOS and OS X being cousins, I would not be surprised if the failed
>> connection is due to iOS not liking your certificate when it comes along
>> in the EAP conversation.
>>
>> We have documented numerous recent constraints for EAP server
>> certificates in our eduroam documentation here:
>>
>> https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>
>>
>> Your certificate is falling short of several of the recommendations in
>> that document; you might want to issue a new certificate with
>> appropriate properties.
>>
>> We are BTW adding more constraints as we become aware of it. A candidate
>> right now is that it seems to be problematic to use wildcard
>> certificates with Windows 8; I'd suggest to avoid those in addition to
>> what's on that page...
>>
>> Let us know how it goes!
>>
>> Greetings,
>>
>> Stefan Winter
>>
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature