The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Deyan Stoykov <dstoykov AT uni-ruse.bg>]

On 25.6.2015 г. 21:47, Stefan Winter wrote:
> Hi,
>
> I've checked the CA certificate in an offline conversation.
>
> It turns out that the IdP's CA has not marked the basicConstraints:CA =
> TRUE as critical.
>
> According to RFC5280, "
>
> Conforming CAs MUST include this extension in all CA certificates
>     that contain public keys used to validate digital signatures on
>     certificates and MUST mark the extension as critical in such
>     certificates. "
>
> So, if speaking RFC-conformance, the CA certificate is not valid and thus is 
> not an acceptable trust root.
>
> We are not being unnecessarily pedantic in CAT - our checks simply call "openssl 
> verify" under
> the hood, and openssl seems to take this matter rather seriously - it fails 
> the chain
> validation and so we issue the warning that we couldn't reach a proper trust 
> root (the
> wording of the warning is not exactly fitting, admittedly).
>
> I'm a bit surprised that "our" openssl is the only one to find this nit. I 
> would expect real-life
> supplicants to complain as well.

Hello Stefan,
Thank you for figuring this out.

Can you please share the version of openssl that was used for this test? 
Looking at the CAT source code it seems that the command was:

openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem

but this did verify the certificate in our environment with OpenSSL 1.0.1k

I need this to assess the effect of this problem in the long term. If 
openSSL has become more strict recently, then we should expect issues 
with wpa_supplicant on Linux and Android at least.

Best regards,
Deyan

--
Deyan Stoykov, 
dstoykov AT uni-ruse.bg
ICT department
University of Ruse