cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Deyan Stoykov <dstoykov AT uni-ruse.bg>
- To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT geant.net
- Subject: Re: [cat-users] Realm connectivity test - unable to verify certificate
- Date: Tue, 30 Jun 2015 12:58:10 +0300
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT uni-ruse.bg
- List-archive: <http://mail.geant.net/pipermail/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
- Organization: University of Ruse
On 30.6.2015 г. 9:11, Stefan Winter wrote:
Hello,
Thank you for figuring this out.
Can you please share the version of openssl that was used for this test?
Looking at the CAT source code it seems that the command was:
openssl verify -CApath $tmp_dir/root-ca-allcerts/ -purpose any server.pem
but this did verify the certificate in our environment with OpenSSL 1.0.1k
I need this to assess the effect of this problem in the long term. If
openSSL has become more strict recently, then we should expect issues
with wpa_supplicant on Linux and Android at least.
Actually, our tests are a bit more thorough than that :-) Before calling
openssl, we download the CRLs from the CRLDP extension of the CA
certificate, if any, and run a full chain verification against CAs and CRLs.
Your chain validation fails because the CRL you have set in your CRLDP:
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.uni-ruse.bg/eduroam.crl
gets me an expired CRL:
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=BG/ST=Ruse/L=Ruse/O=University of
Ruse/emailAddress=support AT uni-ruse.bg/CN=University
of Ruse eduroam CA
Last Update: Oct 8 12:41:54 2014 GMT
Next Update: Nov 7 12:41:54 2014 GMT
... and that's why the chain is broken.
Hello Stefan,
Thank you, I regenerated the CRL and now connectivity tests are "happy".
As for the extension criticality issue, we'll check updated supplicants in the future and act accordingly. For now I have filed an issue against FreeRADIUS about their OpenSSL config files not marking the extension as critical.
https://github.com/FreeRADIUS/freeradius-server/issues/1073
Best regards,
Deyan
--
Deyan Stoykov,
dstoykov AT uni-ruse.bg
ICT department
University of Ruse
- [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Tomasz Wolniewicz, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, A . L . M . Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Alan Buxey, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/30/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Deyan Stoykov, 06/26/2015
- Re: [cat-users] Realm connectivity test - unable to verify certificate, Stefan Winter, 06/25/2015
Archive powered by MHonArc 2.6.19.