cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Tomasz Wolniewicz <twoln AT umk.pl>, cat-users AT geant.net, jenny AT ebi.ac.uk
- Subject: Re: [cat-users] Yosemite
- Date: Sat, 29 Nov 2014 12:16:52 +0100
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hi,
> I have run tests on EAPlab (http://eaplab.supplicants.net) for PEAP on
> OS X 10.10.1 and they do not confirm your findings.
> EAPlab implements both single and chain CA cases, the default CAT
> profile installs only the root CA and authentications work fine.
>
> To be quite sure I also look at the downloaded server cert and OS X
> shows that the the server cert is issued by an unknown CA, this proves
> that the intermediate CA is not installed on my system.
I've taken a look at Jenny's root CA and I think I know the problem with
*her* CA.
She's using TERENA Certificate Service certificates (or Janet's
rebranding name for it).
One of the intermediates in the chain used to be a self-signed root
until it was acquired and became an intermediate cert by re-signing.
iOS 7 & 8 carry the self-signed version in their trust store, and will
not believe an EAP-incoming version of the same certificate that has a
different signer.
We recommend people to install the intermediates in these cases, as the
OS seems to be much happier if it finds a conflicting version in its own
trust store, and not in the EAP conversation.
That's known for iOS, and something EAPLab can't grasp (but also doesn't
have to really).
The news in all this would be that 10.10 falls into the same trap now.
The cert is not self-signed any more since a long long time. I really
hope that Apple didn't "update" their trust store with that stale
information.
Looking forward to a 10.10.2 and subsequent bug report if it is still
making problems there.
Greetings,
Stefan Winter
>
> Tomasz
>
>
> W dniu 22.11.2014 o 13:58, Jenny Martin pisze:
>> Yosemite seems to need all the intermediate CA certificates in your
>> certificate chain included in the eduroam profile. Previous versions of
>> MacOS X were happy with just the root CA certificate. We found that
>> iOS 7 & 8 need all the certificates too.
>>
>> You can just add the intermediate certificates in you eduroamcat IdP
>> profile and rebuild the installers.
>>
>>
>
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cat-users] Yosemite, Jakub Hadzik, 11/18/2014
- Re: [cat-users] Yosemite, Alan Buxey, 11/19/2014
- Re: [cat-users] Yosemite, Anders Nilsson, 11/19/2014
- Re: [cat-users] Yosemite, Alan Buxey, 11/19/2014
- Re: [cat-users] Yosemite, Anders Nilsson, 11/19/2014
- Re: [cat-users] Yosemite, Jenny Martin, 11/22/2014
- Re: [cat-users] Yosemite, Tomasz Wolniewicz, 11/23/2014
- Re: [cat-users] Yosemite, Stefan Winter, 11/28/2014
- Re: [cat-users] Yosemite, Stefan Winter, 11/29/2014
- Re: [cat-users] Yosemite, Tomasz Wolniewicz, 11/23/2014
- Re: [cat-users] Yosemite, Alan Buxey, 11/19/2014
Archive powered by MHonArc 2.6.19.