cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Alan Buxey <alan.buxey AT gmail.com>, eduroam CAT Feedback <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824)
- Date: Tue, 24 Oct 2017 15:48:53 +0200
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
> eduroamCAT only supports particular (ie recent) versions of Android.
> So long as the devices not working match that requirement, then the
> common cause
> of problem is that your Android devices dont have the require
> intermediate certs installed - the eduroamCAT tool will installs the
> root cert (if its not present)
> but your RADIUS server SHOULD be sending the entire chain (local cert,
> intermediates) and not just the local cert. (in fact, there are some
> random devices out
> there that like the root cert to be sent out too but they are slowly
> disappearing as people get rid of pretty old kit).
>
> your root appears to be SHA1 - its 2017 - any new deployments should
> really be starting with SHA256 (and those with older SHA1 roots,
> think about upgrading :) )
Just to not let false information stand as-is on a mailing list: No.
The signature algorithm on the root CA itself is meaningless and ignored
by all supplicants around.
The reason is that the signature is entirely self-asserted by the
certificate itself - it is the own private key that signs the cert.
Making that SHA-512 does not make the information "I am sure that I am
myself" any more useful.
No supplicant I've come across takes offence on *that* signature.
Only if an intermediate CA or a server cert is signed with SHA-1 then
there's reason to suspect that this is the cause of error.
That's why I wasked for the server cert - it's the only way to know if
there is an intermediate in play at all, and it's the only way to see if
there's something fishy about the cert chain and server cert properties.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- RE: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Martyn Bratt, 10/20/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Stefan Winter, 10/23/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Alan Buxey, 10/23/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Stefan Winter, 10/24/2017
- RE: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Martyn Bratt, 10/25/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Stefan Winter, 10/25/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Alan Buxey, 10/23/2017
- Re: [[cat-users]] FW: eduroam CAT authentication (Ref:IN:00216824), Stefan Winter, 10/23/2017
Archive powered by MHonArc 2.6.19.