The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

now testing with isa.ulisboa.pt :-)

okay, after mroe looking around, I explicitly disabled TLS 1.0 on the
client side, which made the server fail negotiation:

OpenSSL: openssl_handshake - SSL_connect error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

So, the RADIUS server on the other end indeed only supports TLS 1.0 (I
didn't look downward, maybe it does SSL3 still ;-) ).

That still doesn't explain why iOS 9 would take offence - since the TLS
1.2 requirement was removed before GM, TLS 1.0 would be good enough.

But I read this in the iOS 9 Release Notes:

"Secure Transport
Note

DHE_RSA cipher suites are now disabled by default in Secure Transport
for TLS clients. This may cause failure to connect to TLS servers that
only support DHE_RSA cipher suites. "

So, even if both sides negotiate TLS 1.0 - they could still fail if the
server is on DHE_RSA only.

Now, how would I find out if the server's cipher suites are only in the
DHE_RSA family, or maybe even older and rejected by iOS since a longer
time? I have no idea :-)

Upgrading FreeRADIUS is still the solution of choice IMHO.

Greetings,

Stefan Winter


Am 05.10.2015 um 13:21 schrieb Stefan Winter:
> Hi,
> 
>> certificate requirements are here: 
>> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>
>>
>> IOS9 devices working fine at other sites that have fixed their RADIUS 
>> server config and
>> certificates
> 
> Assuming the realm is @ulisboa.pt:
> 
> This doesn't look like a typical certificate property error. It's a
> TERENA Certificate Service certificate valid until 2016.
> 
> The reachability checks of CAT work fine when using eapol_test 2.0 and
> fail badly with eapol_test 2.5.
> 
> The debug log shows:
> 
>     [3644] => OpenSSL: tls_connection_private_key - Failed to load
> private key error:0609E09C:digital envelope
> routines:PKEY_SET_TYPE:unsupported algorithm
>     [3645] => OpenSSL: pending error: error:0606F076:digital envelope
> routines:EVP_PKCS82PKEY:unsupported private key algorithm
>     [3646] => OpenSSL: pending error: error:140CB00D:SSL
> routines:SSL_use_PrivateKey_file:ASN1 lib
>     [3647] => OpenSSL: pending error: error:0906D06C:PEM
> routines:PEM_read_bio:no start line
>     [3648] => OpenSSL: pending error: error:140CB009:SSL
> routines:SSL_use_PrivateKey_file:PEM lib
> 
> ... this makes me think that this is the EAP-TTLS/PEAP TLS-1.2
> incompatibility in FreeRADIUS pre 2.2.9 and pre 3.0.10.
> 
> The only thing I don't have an answer for is: why is this now hitting
> actual prod devices? According to collective rumour, Apple has removed
> the TLS 1.2 negotiation just before the 9.0 GM. Maybe not in the
> Italian GM?
> 
> In any case, either
> - downgrading OpenSSL to a version which does not support TLS 1.2
> - upgrading FreeRADIUS to 2.2.9 or 3.0.10 (released tomorrow)
> 
> would help. The first suggestion is more like a joke though - NEVER
> downgrade security-relevant software!
> 
> Greetings,
> 
> Stefan Winter
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature