cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Deyan Stoykov <dstoykov AT uni-ruse.bg>
- To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT geant.net
- Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
- Date: Fri, 26 Jun 2015 12:31:05 +0300
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT uni-ruse.bg
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
- Organization: University of Ruse
On 25.6.2015 г. 21:47, Stefan Winter wrote:
Hi,
I've checked the CA certificate in an offline conversation.
It turns out that the IdP's CA has not marked the basicConstraints:CA =
TRUE as critical.
According to RFC5280, "
Conforming CAs MUST include this extension in all CA certificates
that contain public keys used to validate digital signatures on
certificates and MUST mark the extension as critical in such
certificates. "
So, if speaking RFC-conformance, the CA certificate is not valid and thus is
not an acceptable trust root.
We are not being unnecessarily pedantic in CAT - our checks simply call "openssl
verify" under
the hood, and openssl seems to take this matter rather seriously - it fails
the chain
validation and so we issue the warning that we couldn't reach a proper trust
root (the
wording of the warning is not exactly fitting, admittedly).
I'm a bit surprised that "our" openssl is the only one to find this nit. I
would expect real-life
supplicants to complain as well.
Hello Stefan,
Thank you for figuring this out.
Can you please share the version of openssl that was used for this test? Looking at the CAT source code it seems that the command was:
openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem
but this did verify the certificate in our environment with OpenSSL 1.0.1k
I need this to assess the effect of this problem in the long term. If openSSL has become more strict recently, then we should expect issues with wpa_supplicant on Linux and Android at least.
Best regards,
Deyan
--
Deyan Stoykov,
dstoykov AT uni-ruse.bg
ICT department
University of Ruse
- [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, A . L . M . Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
Archive powered by MHonArc 2.6.19.