Skip to Content.

cat-users - Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: A.L.M.Buxey AT lboro.ac.uk, Péter Lipták <liptak AT office365.ulisboa.pt>
  • Cc: "cat-users AT geant.net" <cat-users AT geant.net>, "suporte AT eduroam.fccn.pt" <suporte AT eduroam.fccn.pt>, Helpdesk <helpdesk AT isa.ulisboa.pt>, Tiago Picado <tpicado AT isa.ulisboa.pt>
  • Subject: Re: [cat-users] [Alunos] Atualizacao para o sistema iOS 9 - problemas com a Eduroam
  • Date: Mon, 5 Oct 2015 13:50:45 +0200
  • List-archive: <https://mail.geant.net/mailman/private/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Uh,

false alarm, sorry. I should drink more coffee. My eapol_test-2.5 was
compiled without PKCS12 support while the config file mentioned a dummy
.p12 file for EAP-TLS, and this strangely enough led to this strange loop.

Now, in fact, both with 2.0 and 2.5, the realm checks work fine. So I'm
running out of ideas why iOS 9 and this realm would not work...

Stefan

Am 05.10.2015 um 13:21 schrieb Stefan Winter:
> Hi,
>
>> certificate requirements are here:
>> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>
>>
>> IOS9 devices working fine at other sites that have fixed their RADIUS
>> server config and
>> certificates
>
> Assuming the realm is @ulisboa.pt:
>
> This doesn't look like a typical certificate property error. It's a
> TERENA Certificate Service certificate valid until 2016.
>
> The reachability checks of CAT work fine when using eapol_test 2.0 and
> fail badly with eapol_test 2.5.
>
> The debug log shows:
>
> [3644] => OpenSSL: tls_connection_private_key - Failed to load
> private key error:0609E09C:digital envelope
> routines:PKEY_SET_TYPE:unsupported algorithm
> [3645] => OpenSSL: pending error: error:0606F076:digital envelope
> routines:EVP_PKCS82PKEY:unsupported private key algorithm
> [3646] => OpenSSL: pending error: error:140CB00D:SSL
> routines:SSL_use_PrivateKey_file:ASN1 lib
> [3647] => OpenSSL: pending error: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
> [3648] => OpenSSL: pending error: error:140CB009:SSL
> routines:SSL_use_PrivateKey_file:PEM lib
>
> ... this makes me think that this is the EAP-TTLS/PEAP TLS-1.2
> incompatibility in FreeRADIUS pre 2.2.9 and pre 3.0.10.
>
> The only thing I don't have an answer for is: why is this now hitting
> actual prod devices? According to collective rumour, Apple has removed
> the TLS 1.2 negotiation just before the 9.0 GM. Maybe not in the
> Italian GM?
>
> In any case, either
> - downgrading OpenSSL to a version which does not support TLS 1.2
> - upgrading FreeRADIUS to 2.2.9 or 3.0.10 (released tomorrow)
>
> would help. The first suggestion is more like a joke though - NEVER
> downgrade security-relevant software!
>
> Greetings,
>
> Stefan Winter
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page