cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Realm connectivity test - unable to verify certificate

From: Stefan Winter <stefan.winter AT restena.lu>
To: Deyan Stoykov <dstoykov AT uni-ruse.bg>, cat-users AT geant.net
Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
Date: Thu, 25 Jun 2015 20:47:23 +0200
List-archive: <http://mail.geant.net/pipermail/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Hi,

I've checked the CA certificate in an offline conversation.

It turns out that the IdP's CA has not marked the basicConstraints:CA =
TRUE as critical.

According to RFC5280, "

Conforming CAs MUST include this extension in all CA certificates
that contain public keys used to validate digital signatures on
certificates and MUST mark the extension as critical in such
certificates. "

So, if speaking RFC-conformance, the CA certificate is not valid and thus is
not an acceptable trust root.

We are not being unnecessarily pedantic in CAT - our checks simply call
"openssl verify" under
the hood, and openssl seems to take this matter rather seriously - it fails
the chain
validation and so we issue the warning that we couldn't reach a proper trust
root (the
wording of the warning is not exactly fitting, admittedly).

I'm a bit surprised that "our" openssl is the only one to find this nit. I
would expect real-life
supplicants to complain as well.

In any case... marking the CA=TRUE basicConstraints extension as
critical will make your CA
certificate more comforting to SSL libraries.

Greetings,

Stefan Winter

On 25.06.2015 12:27, Deyan Stoykov wrote:
> Hi all,
> Since the upgrade to CAT 1.1 I'm getting the following message when
> performing a realm connectivity test from our IdP admin page:
>
> {red icon} The server certificate could not be verified to the root CA
> you configured in your profile!
>
> I'm pretty sure our certificate setup is fine and none of the
> supplicants set up by CAT have any problems verifying the certificate.
>
> Since first noticing this I have reissued the server certificate and
> included the authorityKeyIdentifier extension, but that didn't make a
> difference.
>
> We are using a using a private CA exclusively for eduroam, based on
> the .cnf files shipped with FreeRADIUS 3, modified in accordance with
> the EAP certificate recommendations in the wiki.
>
> If someone is interested in looking into this, I can provide more info.
> Best regards,
> Deyan
>

Attachment: signature.asc
Description: OpenPGP digital signature

[cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
  - Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
    - Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
      - Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
      - Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, A . L . M . Buxey, 06/30/2015