cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Deyan Stoykov <dstoykov AT uni-ruse.bg>, cat-users AT geant.net
- Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
- Date: Tue, 30 Jun 2015 08:11:04 +0200
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
> Thank you for figuring this out.
>
> Can you please share the version of openssl that was used for this test?
> Looking at the CAT source code it seems that the command was:
>
> openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem
>
> but this did verify the certificate in our environment with OpenSSL 1.0.1k
>
> I need this to assess the effect of this problem in the long term. If
> openSSL has become more strict recently, then we should expect issues
> with wpa_supplicant on Linux and Android at least.
Actually, our tests are a bit more thorough than that :-) Before calling
openssl, we download the CRLs from the CRLDP extension of the CA
certificate, if any, and run a full chain verification against CAs and CRLs.
Your chain validation fails because the CRL you have set in your CRLDP:
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.uni-ruse.bg/eduroam.crl
gets me an expired CRL:
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=BG/ST=Ruse/L=Ruse/O=University of
Ruse/emailAddress=support AT uni-ruse.bg/CN=University
of Ruse eduroam CA
Last Update: Oct 8 12:41:54 2014 GMT
Next Update: Nov 7 12:41:54 2014 GMT
... and that's why the chain is broken.
This still won't help you assess how critical the CA extension's
criticality really is, but it is one of the issues you need to fix to
come up clean.
But it does bring up a feature request :-) "Your CA's CRL is expired!"
should be an error condition we should flag in UI on the realm tests.
Noted. :-)
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, A . L . M . Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
Archive powered by MHonArc 2.6.19.