The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> This was discussed in the list one month ago or so... if things haven't
> changed in this time (ie: if Apple did not fixed it) and I'm not
> mistaken, this message by Stefan is a very good summary:

The summary below was (probably, need more data) too drastic: it does
not seem to affect any CA with an intermediate, but just one specific
intermediate CA cert; unluckily, it's one of those in the TCS chain.

The reason seems to be that this certificate used to be a root cert of
its own a long time ago, then got re-issued as an intermediate of
another CA. OSes removed the now-defunct "root" CA from their cert store
and the world was in order.

Enter iOS 7, which erroneously re-added the cert as an intermediate.
Which leads to conflicting information if the same Subject CA comes
along but presents itself as an intermediate instead. Installing that CA
in the store seems to overwrite the wrong default.

So, if you're NOT using TERENA TCS / a.k.a. "Janet Certificate Service"
in the UK, then you probably don't have any issue at all.

Stefan

> 
> 8<...
> "The profiles definition did not change between iOS 6 and iOS 7, and
> many iOS 7 devices continue to work as before.
> 
> We have heard repeated reports that there appears to be one bug in iOS 7
> which prevents things from working in one specific condition:
> 
> If your server certificate is not directly signed by a root CA, but by a
> chain with intermediate CAs in between, then
> 
> * if the intermediate CA cert is sent in the EAP exchange, it gets
> ignored (this is the bug)
> * if the intermediate CA cert is among the CAs that are provisioned with
> the profile, things work
> 
> This bug particularly hits TERENA TCS certificate customers, because
> there is a chain to the root certificate at play here.
> 
> CAT can halp you overcome this - simply upload the intermediates along
> with the root CA; CAT will then install the entire chain.
> 
> However, this is not a CAT problem, it's an iOS oddity. In particular,
> it does not only affect institutions using CAT; if you create your own
> profiles using the Apple Configurator tool you suffer from the same."
> ...>8
> 
> Greetings,
> 
> Jose Manuel.
> 
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature