cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: "Rozenblad, D. (Dave)" <d.rozenblad AT ru.nl>
- To: 'Stefan Winter' <stefan.winter AT restena.lu>, "'cat-users AT lists.geant.org'" <cat-users AT lists.geant.org>
- Cc: "Canoy, V.C.M. (Veronica)" <v.canoy AT ru.nl>, "Willems, T. (Tamira)" <T.Willems AT ru.nl>, "Pol, F.A. (Ferdinand)" <f.pol AT ru.nl>, "Beuger, R.M. (Ron)" <r.beuger AT ru.nl>, "Graaf, A.M. van der (Arthur)" <a.vandergraaf AT ru.nl>, "Hollands, N.R.H. (Nicolette)" <N.Hollands AT ru.nl>, "Loonen, J.F.M.M. (Jacques)" <j.loonen AT ru.nl>
- Subject: RE: [[cat-users]] Eduroam CAT ChromeOS
- Date: Fri, 5 Oct 2018 10:00:53 +0000
- Accept-language: nl-NL, en-US
Dear (Stefan),
The root certificate isn't the problem here. The main issue is that chromeOS
denies our radius certificate due to a too 'weak' Diffie-Hellman. I already
reported this to one of our certificates specialist so we can check this
matter from our side. Is this a problem that has been reported previously by
any other university? (Because I found this article online) and it seems like
a common issue:
https://groups.google.com/forum/#!topic/appsusergroup/JjHRpfkS8kg
--
1. What's happening?
- The main problem here is the Diffie Hellman weakness, this is a
mathematical algorithm that is used to exchange a shared secret between two
parties (i.e.: client and server). This shared secret can then be used to
encrypt messages between the two parties and/or authenticate networks.
- With the recent wave of further SSL attacks on the tech community, Chrome
OS and other systems are making moves to stop SSL clients from negotiating
connections where the parameters have weak Diffie-Hellman (DH) keys.
2. Behavior:
- Customers affected by this issue are reporting that they are not able to
connect to their PEAP/EAP-xxx networks. This is most likely due to the fact
that an appliance in their environment is using a DH key with sub-1024 bit
encryption (i.e.: radius server, vpn concentrator, etc.)
3. The workarounds given are:
- Upgrading the DH parameter file to 2048 bit -or-
- Use PPSK instead of EAP-xxx -or-
- Update firmware on appliance
4. What I would recommend:
- Contact your network administrator and certificate issuer to upgrade the DH
parameter file to 2048 bit, this will increase your certificate quality and
security and it will allow the connection to succeed.
5. For more details about the Diffie Hellman attacks, please visit
https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html.
--
As for Windows Phone. Exactly what I thought.
Thanks for the assistance!
Regards,
Dave
-----Original Message-----
From: Stefan Winter
<stefan.winter AT restena.lu>
Sent: vrijdag 5 oktober 2018 10:56
To: Rozenblad, D. (Dave)
<d.rozenblad AT ru.nl>;
'cat-users AT lists.geant.org'
<cat-users AT lists.geant.org>
Cc: Canoy, V.C.M. (Veronica)
<v.canoy AT ru.nl>;
Willems, T. (Tamira)
<T.Willems AT ru.nl>;
Pol, F.A. (Ferdinand)
<f.pol AT ru.nl>
Subject: Re: [[cat-users]] Eduroam CAT ChromeOS
Hello,
> We’ve been using Eduroam CAT as a primary Eduroam configurator for our
> university. Unfortunately, unlike other systems ChromeOS somehow (in
> some cases) gives us a certificate locally rejected error. Is this a
> known issue and is there anything we can do to solve or work-around
> this matter? The certificates (when I try to install them via
> Settings) are giving the message ‘Already Installed’.
Is the CA by any chance one that issues EV certificates? We found earlier
that ChromeOS treats EV CAs very specially. It considers the addition of the
same CA to the Wi-Fi store as an overwrite of its EV trust store and refuses
to do this.
If you are unsure if this is the case, or if you know it is not and want me
to investigate further, you would need to send me a copy of the root CA
certificate. It's fine to do that off-list.
> Also I’d like to state that there’s no Windows Phone version but I
> guess it won’t be supported or..?
We put quite some effort into trying this many years ago and ran into some
intentionally constructed walls on the OS side.
And these days, all I can say is that even the manufacturer has given up on
the platform. So this is nothing we want to sink time into any more.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's
key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [[cat-users]] Eduroam CAT ChromeOS, Rozenblad, D. (Dave), 09/19/2018
- Re: [[cat-users]] Eduroam CAT ChromeOS, Stefan Winter, 10/05/2018
- RE: [[cat-users]] Eduroam CAT ChromeOS, Rozenblad, D. (Dave), 10/05/2018
- Re: [[cat-users]] Eduroam CAT ChromeOS, Stefan Winter, 10/05/2018
- RE: [[cat-users]] Eduroam CAT ChromeOS, Rozenblad, D. (Dave), 10/09/2018
- Re: [[cat-users]] Eduroam CAT ChromeOS, Stefan Winter, 10/05/2018
- RE: [[cat-users]] Eduroam CAT ChromeOS, Rozenblad, D. (Dave), 10/05/2018
- Re: [[cat-users]] Eduroam CAT ChromeOS, Stefan Winter, 10/05/2018
Archive powered by MHonArc 2.6.19.