The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Deyan Stoykov <dstoykov AT uni-ruse.bg>]

On 30.6.2015 г. 9:11, Stefan Winter wrote:
> Hello,
>
> > Thank you for figuring this out.
> >
> > Can you please share the version of openssl that was used for this test?
> > Looking at the CAT source code it seems that the command was:
> >
> > openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem
> >
> > but this did verify the certificate in our environment with OpenSSL 1.0.1k
> >
> > I need this to assess the effect of this problem in the long term. If
> > openSSL has become more strict recently, then we should expect issues
> > with wpa_supplicant on Linux and Android at least.
>
> Actually, our tests are a bit more thorough than that :-) Before calling
> openssl, we download the CRLs from the CRLDP extension of the CA
> certificate, if any, and run a full chain verification against CAs and CRLs.
>
> Your chain validation fails because the CRL you have set in your CRLDP:
>
> X509v3 CRL Distribution Points:
>                Full Name:
>                URI:http://crl.uni-ruse.bg/eduroam.crl
>
> gets me an expired CRL:
>
> Certificate Revocation List (CRL):
>          Version 1 (0x0)
>      Signature Algorithm: sha256WithRSAEncryption
>          Issuer: /C=BG/ST=Ruse/L=Ruse/O=University of
> Ruse/emailAddress=support AT uni-ruse.bg/CN=University
>  of Ruse eduroam CA
>          Last Update: Oct  8 12:41:54 2014 GMT
>          Next Update: Nov  7 12:41:54 2014 GMT
>
> ... and that's why the chain is broken.

Hello Stefan,
Thank you, I regenerated the CRL and now connectivity tests are "happy".

As for the extension criticality issue, we'll check updated supplicants 
in the future and act accordingly. For now I have filed an issue against 
FreeRADIUS about their OpenSSL config files not marking the extension as 
critical.

https://github.com/FreeRADIUS/freeradius-server/issues/1073

Best regards,
Deyan

--
Deyan Stoykov, 
dstoykov AT uni-ruse.bg
ICT department
University of Ruse