cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] SHA1 sunsetting

From: A.L.M.Buxey AT lboro.ac.uk
To: "Morris, Andi" <amorris AT cardiffmet.ac.uk>
Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] SHA1 sunsetting
Date: Thu, 7 Apr 2016 12:39:14 +0000

Hi,

> So, looking at that setup it doesn't matter that my root cert is SHA1,
> but
> we'll likely hit issues if the server cert is SHA1. However as that's not
> setup on the user devices I would guess that if I use the same root CA to
> create a new SHA256 server certificate with the same common name and tell
> the radius server to send that instead it would be transparent to users?

pretty much - certainly until clients get fussy about SHA1 root CAs...
however,
any eg iOS devices that were 'setup' by the user just joining eduroam SSID
and putting in their user/pass will get a verification check warning as the
device uses the server fingerprint as part of the local profile.... but this
is the eduroam CAT list so want affect eduroamCAT configured devices.

so same common name - and SAN too (for greater client compatibility) - CRLDP
defined point in root CA might be the only issue - if you dont have one then
some clients arent going to work

alan

[[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Stefan Winter, 04/07/2016
  - Re: [[cat-users]] SHA1 sunsetting, Zenon Mousmoulas, 04/07/2016
    - Re: [[cat-users]] SHA1 sunsetting, Stefan Winter, 04/07/2016
  - RE: [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
    - Re: [[cat-users]] SHA1 sunsetting, A . L . M . Buxey, 04/07/2016
      - RE: [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
        
        Re: [[cat-users]] SHA1 sunsetting, Tomasz Wolniewicz, 04/07/2016
      - Re: [[cat-users]] SHA1 sunsetting, Tomasz Wolniewicz, 04/07/2016