Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] Realm connectivity test - unable to verify certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] Realm connectivity test - unable to verify certificate


Chronological Thread 
  • From: Deyan Stoykov <dstoykov AT uni-ruse.bg>
  • To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT geant.net
  • Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
  • Date: Tue, 30 Jun 2015 12:58:10 +0300
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT uni-ruse.bg
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Organization: University of Ruse

On 30.6.2015 г. 9:11, Stefan Winter wrote:
Hello,

Thank you for figuring this out.

Can you please share the version of openssl that was used for this test?
Looking at the CAT source code it seems that the command was:

openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem

but this did verify the certificate in our environment with OpenSSL 1.0.1k

I need this to assess the effect of this problem in the long term. If
openSSL has become more strict recently, then we should expect issues
with wpa_supplicant on Linux and Android at least.

Actually, our tests are a bit more thorough than that :-) Before calling
openssl, we download the CRLs from the CRLDP extension of the CA
certificate, if any, and run a full chain verification against CAs and CRLs.

Your chain validation fails because the CRL you have set in your CRLDP:

X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.uni-ruse.bg/eduroam.crl

gets me an expired CRL:

Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=BG/ST=Ruse/L=Ruse/O=University of
Ruse/emailAddress=support AT uni-ruse.bg/CN=University
of Ruse eduroam CA
Last Update: Oct 8 12:41:54 2014 GMT
Next Update: Nov 7 12:41:54 2014 GMT

... and that's why the chain is broken.

Hello Stefan,
Thank you, I regenerated the CRL and now connectivity tests are "happy".

As for the extension criticality issue, we'll check updated supplicants in the future and act accordingly. For now I have filed an issue against FreeRADIUS about their OpenSSL config files not marking the extension as critical.

https://github.com/FreeRADIUS/freeradius-server/issues/1073

Best regards,
Deyan

--
Deyan Stoykov,
dstoykov AT uni-ruse.bg
ICT department
University of Ruse





Archive powered by MHonArc 2.6.19.

Top of Page