The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Silly me.
Tomasz

W dniu 07.10.2013 16:40, Stefan Winter pisze:
> Hi,
>
>> Ther is also one other thing that I find strange.
>> When I have connected to your server with wpa_supplicant and downloaded
>> the entire certificate load, I found the root certificate plus 3 other
>> certificates instead of an expected one.
>> Not sure what is causing this or what this can result in, but it is
>> unusual.
> I find that on my box, eapol_test will always dump received certificates
> /twice/ in its -o output. So I got four certs, twice the root, twice the
> server cert.
>
> I don't think that's a real issue on the wire though. At one point when
> I wondered about this, I looked at the actual network traffic and it
> showed that the certs are only sent once each.
>
> I've built in a filter in CAT trunk code to ignore multiple identical
> occurences in the eapol_test result file.
>
> IOW: a small bug in a third-party tool with no serious consequences.
>
> Greetings,
>
> Stefan
>
>> Tomasz
>>
>>
>> W dniu 2013-10-07 16:21, Stefan Winter pisze:
>>> Hi,
>>>
>>>>     I'm attaching my installation process via screenshots.  Hopefully
>>>> all
>>>> of them will get sent.
>>>>
>>>>     Looking at this PDF, it seems like something is missing during the
>>>> installation process.
>>>>
>>>> http://mobile.unibas.ch/manualsEDU/ios_cat_en.pdf
>>> the difference in these two is that the PDF shows a UI request to enter
>>> username and password. In iOS 6, it's a known quirk in iOS that it will
>>> only request these for PEAP during installation time, for TTLS it will
>>> instead ask during the first connection attempt. This is different yet
>>> again in iOS 7; that one will always ask during installation time.
>>>
>>> However, that's not a primary reason for failure, it's just a UI
>>> inconsistency.
>>>
>>> I have looked at your server certificate. eduroam CAT 1.1 will warn you
>>> about this during the reachability check, but for now here's the manual
>>> warning :-)
>>>
>>> Your server certificate does not explicitly set
>>> "X.509 Basic Constraints: CA = FALSE"
>>> in the server certificate. That's very bad behaviour for an end-entity
>>> certificate, and is known to break certificate validation at least in
>>> Mac OS X 10.8.
>>>
>>> With iOS and OS X being cousins, I would not be surprised if the failed
>>> connection is due to iOS not liking your certificate when it comes along
>>> in the EAP conversation.
>>>
>>> We have documented numerous recent constraints for EAP server
>>> certificates in our eduroam documentation here:
>>>
>>> https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>>
>>>
>>> Your certificate is falling short of several of the recommendations in
>>> that document; you might want to issue a new certificate with
>>> appropriate properties.
>>>
>>> We are BTW adding more constraints as we become aware of it. A candidate
>>> right now is that it seems to be problematic to use wildcard
>>> certificates with Windows 8; I'd suggest to avoid those in addition to
>>> what's on that page...
>>>
>>> Let us know how it goes!
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>

-- 
Tomasz Wolniewicz    
  
twoln AT umk.pl
     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576