Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Porblem with eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Porblem with eduroam


Chronological Thread 
  • From: Alex Sharaz <alex.sharaz AT york.ac.uk>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>
  • Subject: Re: [cat-users] Porblem with eduroam
  • Date: Wed, 23 Oct 2013 08:12:37 +0100
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

again, thanks for this....no we're not using the janet cert service .... but
I've just been pump priming our client devices for a move to JCS by pre
installing all the root and intermediate certs on their clients so at some
point I can just change the cert the server hands out to be a JCS/TErena one

Rgds
alex
On 23 Oct 2013, at 07:22, Stefan Winter wrote:

> Hi,
>
>> This was discussed in the list one month ago or so... if things haven't
>> changed in this time (ie: if Apple did not fixed it) and I'm not
>> mistaken, this message by Stefan is a very good summary:
>
> The summary below was (probably, need more data) too drastic: it does
> not seem to affect any CA with an intermediate, but just one specific
> intermediate CA cert; unluckily, it's one of those in the TCS chain.
>
> The reason seems to be that this certificate used to be a root cert of
> its own a long time ago, then got re-issued as an intermediate of
> another CA. OSes removed the now-defunct "root" CA from their cert store
> and the world was in order.
>
> Enter iOS 7, which erroneously re-added the cert as an intermediate.
> Which leads to conflicting information if the same Subject CA comes
> along but presents itself as an intermediate instead. Installing that CA
> in the store seems to overwrite the wrong default.
>
> So, if you're NOT using TERENA TCS / a.k.a. "Janet Certificate Service"
> in the UK, then you probably don't have any issue at all.
>
> Stefan
>
>>
>> 8<...
>> "The profiles definition did not change between iOS 6 and iOS 7, and
>> many iOS 7 devices continue to work as before.
>>
>> We have heard repeated reports that there appears to be one bug in iOS 7
>> which prevents things from working in one specific condition:
>>
>> If your server certificate is not directly signed by a root CA, but by a
>> chain with intermediate CAs in between, then
>>
>> * if the intermediate CA cert is sent in the EAP exchange, it gets
>> ignored (this is the bug)
>> * if the intermediate CA cert is among the CAs that are provisioned with
>> the profile, things work
>>
>> This bug particularly hits TERENA TCS certificate customers, because
>> there is a chain to the root certificate at play here.
>>
>> CAT can halp you overcome this - simply upload the intermediates along
>> with the root CA; CAT will then install the entire chain.
>>
>> However, this is not a CAT problem, it's an iOS oddity. In particular,
>> it does not only affect institutions using CAT; if you create your own
>> profiles using the Apple Configurator tool you suffer from the same."
>> ...>8
>>
>> Greetings,
>>
>> Jose Manuel.
>>
>>
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <0x8A39DC66.asc>






Archive powered by MHonArc 2.6.19.

Top of Page