The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tiago Picado <tpicado AT isa.ulisboa.pt>]

Dear Stefan,

Thank you again for all the help. Yes, since as previously mentioned our
FreeRADIUS infrastructure is fairly old, upgrading it has always been
the intended first step for solving the issue. We hope to get this done
as soon as possible.

Kind regards,

Tiago Picado


On 05-10-2015 13:16, Stefan Winter wrote:
> Hi,
>
> now testing with isa.ulisboa.pt :-)
>
> okay, after mroe looking around, I explicitly disabled TLS 1.0 on the
> client side, which made the server fail negotiation:
>
> OpenSSL: openssl_handshake - SSL_connect error:14077102:SSL
> routines:SSL23_GET_SERVER_HELLO:unsupported protocol
>
> So, the RADIUS server on the other end indeed only supports TLS 1.0 (I
> didn't look downward, maybe it does SSL3 still ;-) ).
>
> That still doesn't explain why iOS 9 would take offence - since the TLS
> 1.2 requirement was removed before GM, TLS 1.0 would be good enough.
>
> But I read this in the iOS 9 Release Notes:
>
> "Secure Transport
> Note
>
> DHE_RSA cipher suites are now disabled by default in Secure Transport
> for TLS clients. This may cause failure to connect to TLS servers that
> only support DHE_RSA cipher suites. "
>
> So, even if both sides negotiate TLS 1.0 - they could still fail if the
> server is on DHE_RSA only.
>
> Now, how would I find out if the server's cipher suites are only in the
> DHE_RSA family, or maybe even older and rejected by iOS since a longer
> time? I have no idea :-)
>
> Upgrading FreeRADIUS is still the solution of choice IMHO.
>
> Greetings,
>
> Stefan Winter
>
>
> Am 05.10.2015 um 13:21 schrieb Stefan Winter:
>> Hi,
>>
>>> certificate requirements are here: 
>>> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>>
>>>
>>> IOS9 devices working fine at other sites that have fixed their RADIUS 
>>> server config and
>>> certificates
>> Assuming the realm is @ulisboa.pt:
>>
>> This doesn't look like a typical certificate property error. It's a
>> TERENA Certificate Service certificate valid until 2016.
>>
>> The reachability checks of CAT work fine when using eapol_test 2.0 and
>> fail badly with eapol_test 2.5.
>>
>> The debug log shows:
>>
>>     [3644] => OpenSSL: tls_connection_private_key - Failed to load
>> private key error:0609E09C:digital envelope
>> routines:PKEY_SET_TYPE:unsupported algorithm
>>     [3645] => OpenSSL: pending error: error:0606F076:digital envelope
>> routines:EVP_PKCS82PKEY:unsupported private key algorithm
>>     [3646] => OpenSSL: pending error: error:140CB00D:SSL
>> routines:SSL_use_PrivateKey_file:ASN1 lib
>>     [3647] => OpenSSL: pending error: error:0906D06C:PEM
>> routines:PEM_read_bio:no start line
>>     [3648] => OpenSSL: pending error: error:140CB009:SSL
>> routines:SSL_use_PrivateKey_file:PEM lib
>>
>> ... this makes me think that this is the EAP-TTLS/PEAP TLS-1.2
>> incompatibility in FreeRADIUS pre 2.2.9 and pre 3.0.10.
>>
>> The only thing I don't have an answer for is: why is this now hitting
>> actual prod devices? According to collective rumour, Apple has removed
>> the TLS 1.2 negotiation just before the 9.0 GM. Maybe not in the
>> Italian GM?
>>
>> In any case, either
>> - downgrading OpenSSL to a version which does not support TLS 1.2
>> - upgrading FreeRADIUS to 2.2.9 or 3.0.10 (released tomorrow)
>>
>> would help. The first suggestion is more like a joke though - NEVER
>> downgrade security-relevant software!
>>
>> Greetings,
>>
>> Stefan Winter
>>
>


-- 
Tiago Picado
tpicado AT isa.ulisboa.pt

CIISA - Instituto Superior de Agronomia
Tapada da Ajuda, 1349-017 Lisboa, Portugal
+351.21.3653498/59, +351.21.3635031 (Fax)
http://www.isa.ulisboa.pt/ciisa