The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

wildcards do not have a defined meaning in EAP.

Everybody thinks there is there is some universal meaning to the *
character. There's not. The X.509/TLS certificate RFCs all state,
paraphrased, "if you want the * to mean something special/wildcardy, you
will need to define this in your application".

The application "HTTPS" did that, and that's why web browsers implement
that defined behaviour for *web traffic*.

The application "EAP" did NOT. And that's why every supplicant does
whatever they like with the * character. Some take it as a literal, some
take it as HTTPS-style wildcard, some do something weird because they
think that's a good thing to do (Microsoft is in that last category).

Given that wildcards are undefined, non standardised behaviour, they
should not be trusted to do anything useful for EAP purposes. If you
have a cert with a *, be surprised what happens.

That's why the EAP cert recommendation page recommends you not to use
wildcard certificates :-)

Greetings,

Stefan Winter

Am 16.02.2017 um 12:51 schrieb Tomasz Wolniewicz:
> Hi,
>   Actually this may be a problem indeed. Windows has a strange approach
> to regular expressions in certificate names.
> We did have a discussion about that on the list a long time ago and I
> have even started implementing something but then gave ups as it
> generally seems that wildcard certificates are not a great idea and
> people do not really use them.
> 
> At this point I do not remember more details.
> Tomasz
> 
> 
> 
> W dniu 2017-02-16 o 12:43, Jose Manuel Macias Luna pisze:
>> Hi,
>>
>>   I'm not sure about this, but surely Tomasz, Alan or Stefan can give an
>> appropriate answer.
>>
>> One of our institutions is using a wildcard certificate for their radius
>> server (with CN *.someidp.tld), and that's what they have configured in
>> eduroam CAT admin interface. This institution in particular is having
>> problems with installers for win8 and win10, and the only thing
>> suspicious I see in their profile is the wildcard certificate.
>>
>> I have been having a look to the admin guide and says nothing about this
>> particular case:
>>
>> «The name of your server as specified in the Common Name (CN) of your
>> EAP server certificate»
>>
>> https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators#AguidetoeduroamCATforinstitutionadministrators-Institution-wideSettings
>>
>> I do have found some text (I think from Stefan?) in the "EAP Server
>> Certificate Considerations" article:
>>
>> server name  not a wildcard name (e.g "*.someidp.tld")       Some 
>> supplicants
>> exhibit undefined/buggy behaviour when attempting to parse incoming
>> certificates with a wildcard. Windows 8 and 8.1 are known to choke on
>> wildcard certificates.
>>
>> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>>
>> So my question is... is this accepted by all the clients configured by
>> CAT, or would some of them only admit somename.someidp.tld?
>>
>> If so, I think we should maybe issue a warning at the CAT web interface
>> for admins, and/or update the admin guide to reflect this.
>>
>>
>> Thanks in advance,
>>
>> Jose Manuel.
>> To unsubscribe, send this message: 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link: 
>> https://lists.geant.org/sympa/sigrequest/cat-users
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature