Skip to Content.

cat-users - Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: A.L.M.Buxey AT lboro.ac.uk, Péter Lipták <liptak AT office365.ulisboa.pt>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>, "suporte AT eduroam.fccn.pt" <suporte AT eduroam.fccn.pt>, Helpdesk <helpdesk AT isa.ulisboa.pt>, Tiago Picado <tpicado AT isa.ulisboa.pt>
  • Subject: Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam
  • Date: Mon, 5 Oct 2015 13:21:43 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,

> certificate requirements are here:
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>
>
> IOS9 devices working fine at other sites that have fixed their RADIUS
> server config and
> certificates

Assuming the realm is @ulisboa.pt:

This doesn't look like a typical certificate property error. It's a
TERENA Certificate Service certificate valid until 2016.

The reachability checks of CAT work fine when using eapol_test 2.0 and
fail badly with eapol_test 2.5.

The debug log shows:

[3644] => OpenSSL: tls_connection_private_key - Failed to load
private key error:0609E09C:digital envelope
routines:PKEY_SET_TYPE:unsupported algorithm
[3645] => OpenSSL: pending error: error:0606F076:digital envelope
routines:EVP_PKCS82PKEY:unsupported private key algorithm
[3646] => OpenSSL: pending error: error:140CB00D:SSL
routines:SSL_use_PrivateKey_file:ASN1 lib
[3647] => OpenSSL: pending error: error:0906D06C:PEM
routines:PEM_read_bio:no start line
[3648] => OpenSSL: pending error: error:140CB009:SSL
routines:SSL_use_PrivateKey_file:PEM lib

... this makes me think that this is the EAP-TTLS/PEAP TLS-1.2
incompatibility in FreeRADIUS pre 2.2.9 and pre 3.0.10.

The only thing I don't have an answer for is: why is this now hitting
actual prod devices? According to collective rumour, Apple has removed
the TLS 1.2 negotiation just before the 9.0 GM. Maybe not in the
Italian GM?

In any case, either
- downgrading OpenSSL to a version which does not support TLS 1.2
- upgrading FreeRADIUS to 2.2.9 or 3.0.10 (released tomorrow)

would help. The first suggestion is more like a joke though - NEVER
downgrade security-relevant software!

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page