cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Realm connectivity test - unable to verify certificate

From: Stefan Winter <stefan.winter AT restena.lu>
To: Deyan Stoykov <dstoykov AT uni-ruse.bg>, cat-users AT geant.net
Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
Date: Tue, 30 Jun 2015 08:11:04 +0200
List-archive: <http://mail.geant.net/pipermail/cat-users/>
List-id: "The mailing list for users of the eduroam Configuration Assistant Tool $CAT$" <cat-users.geant.net>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

> Thank you for figuring this out.
>
> Can you please share the version of openssl that was used for this test?
> Looking at the CAT source code it seems that the command was:
>
> openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem
>
> but this did verify the certificate in our environment with OpenSSL 1.0.1k
>
> I need this to assess the effect of this problem in the long term. If
> openSSL has become more strict recently, then we should expect issues
> with wpa_supplicant on Linux and Android at least.

Actually, our tests are a bit more thorough than that :-) Before calling
openssl, we download the CRLs from the CRLDP extension of the CA
certificate, if any, and run a full chain verification against CAs and CRLs.

Your chain validation fails because the CRL you have set in your CRLDP:

X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.uni-ruse.bg/eduroam.crl

gets me an expired CRL:

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=BG/ST=Ruse/L=Ruse/O=University of
Ruse/emailAddress=support AT uni-ruse.bg/CN=University
of Ruse eduroam CA
Last Update: Oct 8 12:41:54 2014 GMT
Next Update: Nov 7 12:41:54 2014 GMT

... and that's why the chain is broken.

This still won't help you assess how critical the CA extension's
criticality really is, but it is one of the issues you need to fix to
come up clean.

But it does bring up a feature request :-) "Your CA's CRL is expired!"
should be an error condition we should flag in UI on the realm tests.
Noted. :-)

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

[cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
  - Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
    - Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
      - Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
      - Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/30/2015
        
        Re: [cat-users] Realm connectivity test - unable to verify certificate, A . L . M . Buxey, 06/30/2015