The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alex Sharaz <alex.sharaz AT york.ac.uk>]

again, thanks for this....no we're not using the janet cert service .... but 
I've just been pump priming our client devices for a move to JCS by pre 
installing all the root and intermediate certs on their clients so at some 
point I can just change the cert the server hands out to be a JCS/TErena one

Rgds
alex
On 23 Oct 2013, at 07:22, Stefan Winter wrote:

> Hi,
> 
>> This was discussed in the list one month ago or so... if things haven't
>> changed in this time (ie: if Apple did not fixed it) and I'm not
>> mistaken, this message by Stefan is a very good summary:
> 
> The summary below was (probably, need more data) too drastic: it does
> not seem to affect any CA with an intermediate, but just one specific
> intermediate CA cert; unluckily, it's one of those in the TCS chain.
> 
> The reason seems to be that this certificate used to be a root cert of
> its own a long time ago, then got re-issued as an intermediate of
> another CA. OSes removed the now-defunct "root" CA from their cert store
> and the world was in order.
> 
> Enter iOS 7, which erroneously re-added the cert as an intermediate.
> Which leads to conflicting information if the same Subject CA comes
> along but presents itself as an intermediate instead. Installing that CA
> in the store seems to overwrite the wrong default.
> 
> So, if you're NOT using TERENA TCS / a.k.a. "Janet Certificate Service"
> in the UK, then you probably don't have any issue at all.
> 
> Stefan
> 
>> 
>> 8<...
>> "The profiles definition did not change between iOS 6 and iOS 7, and
>> many iOS 7 devices continue to work as before.
>> 
>> We have heard repeated reports that there appears to be one bug in iOS 7
>> which prevents things from working in one specific condition:
>> 
>> If your server certificate is not directly signed by a root CA, but by a
>> chain with intermediate CAs in between, then
>> 
>> * if the intermediate CA cert is sent in the EAP exchange, it gets
>> ignored (this is the bug)
>> * if the intermediate CA cert is among the CAs that are provisioned with
>> the profile, things work
>> 
>> This bug particularly hits TERENA TCS certificate customers, because
>> there is a chain to the root certificate at play here.
>> 
>> CAT can halp you overcome this - simply upload the intermediates along
>> with the root CA; CAT will then install the entire chain.
>> 
>> However, this is not a CAT problem, it's an iOS oddity. In particular,
>> it does not only affect institutions using CAT; if you create your own
>> profiles using the Apple Configurator tool you suffer from the same."
>> ...>8
>> 
>> Greetings,
>> 
>> Jose Manuel.
>> 
>> 
> 
> 
> -- 
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> <0x8A39DC66.asc>