The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tiago Picado <tpicado AT isa.ulisboa.pt>]

Dear all,

Thank you for the helpful responses. From what we have looked into this
issue so far, the problem most likely remains with the FreeRADIUS
version we are using, which is fairly old and is not even supposed to
support TLS-1.2. At this time, we don't think the problem is due to
certificate issues.

Unfortunately, we did not yet have the opportunity to finalise the
intended update to our RADIUS infrastructure. In the mean time, I would
ask Stefan Winter if he can perform the realm checks against
@isa.ulisboa.pt, as I believe the tested system is the University's
RADIUS, and not our ISA Faculty RADIUS.

Kind regards,

Tiago Picado


On 05-10-2015 12:50, Stefan Winter wrote:
> Uh,
>
> false alarm, sorry. I should drink more coffee. My eapol_test-2.5 was
> compiled without PKCS12 support while the config file mentioned a dummy
> .p12 file for EAP-TLS, and this strangely enough led to this strange loop.
>
> Now, in fact, both with 2.0 and 2.5, the realm checks work fine. So I'm
> running out of ideas why iOS 9 and this realm would not work...
>
> Stefan
>
> Am 05.10.2015 um 13:21 schrieb Stefan Winter:
>> Hi,
>>
>>> certificate requirements are here: 
>>> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>>
>>>
>>> IOS9 devices working fine at other sites that have fixed their RADIUS 
>>> server config and
>>> certificates
>> Assuming the realm is @ulisboa.pt:
>>
>> This doesn't look like a typical certificate property error. It's a
>> TERENA Certificate Service certificate valid until 2016.
>>
>> The reachability checks of CAT work fine when using eapol_test 2.0 and
>> fail badly with eapol_test 2.5.
>>
>> The debug log shows:
>>
>>     [3644] => OpenSSL: tls_connection_private_key - Failed to load
>> private key error:0609E09C:digital envelope
>> routines:PKEY_SET_TYPE:unsupported algorithm
>>     [3645] => OpenSSL: pending error: error:0606F076:digital envelope
>> routines:EVP_PKCS82PKEY:unsupported private key algorithm
>>     [3646] => OpenSSL: pending error: error:140CB00D:SSL
>> routines:SSL_use_PrivateKey_file:ASN1 lib
>>     [3647] => OpenSSL: pending error: error:0906D06C:PEM
>> routines:PEM_read_bio:no start line
>>     [3648] => OpenSSL: pending error: error:140CB009:SSL
>> routines:SSL_use_PrivateKey_file:PEM lib
>>
>> ... this makes me think that this is the EAP-TTLS/PEAP TLS-1.2
>> incompatibility in FreeRADIUS pre 2.2.9 and pre 3.0.10.
>>
>> The only thing I don't have an answer for is: why is this now hitting
>> actual prod devices? According to collective rumour, Apple has removed
>> the TLS 1.2 negotiation just before the 9.0 GM. Maybe not in the
>> Italian GM?
>>
>> In any case, either
>> - downgrading OpenSSL to a version which does not support TLS 1.2
>> - upgrading FreeRADIUS to 2.2.9 or 3.0.10 (released tomorrow)
>>
>> would help. The first suggestion is more like a joke though - NEVER
>> downgrade security-relevant software!
>>
>> Greetings,
>>
>> Stefan Winter
>>
>


-- 
Tiago Picado
tpicado AT isa.ulisboa.pt

CIISA - Instituto Superior de Agronomia
Tapada da Ajuda, 1349-017 Lisboa, Portugal
+351.21.3653498/59, +351.21.3635031 (Fax)
http://www.isa.ulisboa.pt/ciisa