Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Problem with Linux Configuration Script

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Problem with Linux Configuration Script


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: cat-users AT geant.net
  • Subject: Re: [cat-users] Problem with Linux Configuration Script
  • Date: Tue, 18 Mar 2014 15:54:08 +0100
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

by coincidence, this configuration problem would have been detected by
the CAT trunk's 1.1 checks. Of course the check was meant to check if
the server cert verifies against the root, but since I use "openssl
verify" to actually *do* the check, this rather odd condition would have
been caught as well.

I should only change the textual information around the failed check. It
was meant to be:

"The server certificate could not be verified to the root CA you
configured in your profile!"

But a more correct phrasing would probably be

"At least one certificate in the set of intermediate and server certs
could not be verified to the root CA you configured in your profile!"

This describes the error condition better, but sounds less clear to an
innocent admin.

I wonder if there are any preferences for the wording ...

Greetings,

Stefan Winter

On 18.03.2014 14:31, Michele de Varda wrote:
> Thank you all for your precious support!
> I changed the certification chain as you suggested me and now the CAT
> configuration for linux is working.
>
> Thanks again,
>
> Michele
>
>
>
> On 03/15/2014 11:51 AM, Tomasz Wolniewicz wrote:
>> One more go at this problem.
>>
>> Certificates included in the profile define two certification paths.
>> Server itself is certified by the G3 CA, this CA is certified by G5
>> CA. For G5 we have two certificates. One issued by G5 itself and
>> another by | "OU=Class 3 Public Primary Certification Authority". The
>> profile does not contain a certificate for OU=Class 3 Public Primary
>> Certification Authority, therefore one of the certification paths is
>> properly terminated while the other is not.
>>
>> For Windows, CAT picks the only self-signed CA in the profile and and
>> sets it as trusted. This makes one of the certification paths trusted.
>> On Linux, it looks like the verification gets confused.
>>
>> I suppose leaving just one certification path would cure the situation.
>>
>> Tomasz
>>
>>
>> W dniu 14.03.2014, 16:28, Michele de Varda pisze:
>>> Hello,
>>>
>>> I inserted into the CAT system the configuration for the Università
>>> degli Studi di Milano.
>>> I tried all the configurations generated by CAT system and most of
>>> them (Microsoft and Apple) work fine.
>>> We have an issue with the linux configuration script (in attach), we
>>> tested it with Ubuntu 12.10 and doesn't work.
>>>
>>> The problem is with the certificate file ca.pem (Verisign Class 3 -
>>> G5) , below the freeradius log:
>>>
>>> /Wed Mar 12 11:03:52 2014 : Auth: Login incorrect (TLS Alert
>>> read:fatal:unknown CA):
>>> [noc AT unimi.it]
>>> (from client IAM2 port 109 cli
>>> 74:e5:43:a3:a9:5a)//
>>> //Wed Mar 12 11:04:00 2014 : Auth: Login incorrect (TLS Alert
>>> read:fatal:unknown CA):
>>> [noc AT unimi.it]
>>> (from client IAM1 port 109 cli
>>> 74:e5:43:a3:a9:5a)//
>>> //Wed Mar 12 11:04:05 2014 : Auth: Login incorrect (TLS Alert
>>> read:fatal:unknown CA):
>>> [noc AT unimi.it]
>>> (from client IAM2 port 109 cli
>>> 74:e5:43:a3:a9:5a)//
>>> //Wed Mar 12 11:04:13 2014 : Auth: Login incorrect (TLS Alert
>>> read:fatal:unknown CA):
>>> [noc AT unimi.it]
>>> (from client IAM1 port 109 cli
>>> 74:e5:43:a3:a9:5a)/
>>>
>>>
>>> Why Linux configuration doesn't work? The ca certificate is the same
>>> of Microsoft/Apple configuration?
>>>
>>>
>>> Thank you for your great job!
>>>
>>> Regards,
>>>
>>> Michele de Varda
>>>
>>> PS: When an Android client will be available?
>>>
>>>
>>> --
>>> Michele de Varda
>>> Divisione Telecomunicazioni
>>> tel. 02 503 15306
>>> fax. 02 503 15211
>>> via G. Colombo 46
>>> 20133 Milano
>>
>> --
>> Tomasz Wolniewicz
>>
>> twoln AT umk.pl
>> http://www.umk.pl/~twoln
>>
>> Uczelniane Centrum Informatyczne Information&Communication
>> Technology Centre
>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
>
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page