Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Eduroam CAT ChromeOS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Eduroam CAT ChromeOS


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: "Rozenblad, D. (Dave)" <d.rozenblad AT ru.nl>, "'cat-users AT lists.geant.org'" <cat-users AT lists.geant.org>
  • Cc: "Canoy, V.C.M. (Veronica)" <v.canoy AT ru.nl>, "Willems, T. (Tamira)" <T.Willems AT ru.nl>, "Pol, F.A. (Ferdinand)" <f.pol AT ru.nl>, "Beuger, R.M. (Ron)" <r.beuger AT ru.nl>, "Graaf, A.M. van der (Arthur)" <a.vandergraaf AT ru.nl>, "Hollands, N.R.H. (Nicolette)" <N.Hollands AT ru.nl>, "Loonen, J.F.M.M. (Jacques)" <j.loonen AT ru.nl>
  • Subject: Re: [[cat-users]] Eduroam CAT ChromeOS
  • Date: Fri, 5 Oct 2018 12:53:34 +0200
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

> The root certificate isn't the problem here. The main issue is that
> chromeOS denies our radius certificate due to a too 'weak' Diffie-Hellman.

Ah. Well that is something entirely different. Here on the cat-users
mailing list we talk about the CAT service which installs certificates
and more, as a one-time operation before actually /using/ eduroam.

Diffie-Hellman parameters are used during the actual authentication.
They are not a property of any certificate - they are a cryptographic
auxiliary parameter on the system, not in the certificate - and so are
nothing a CAT installer even sees.

So, when you talked about refused certificates, I looked up known issues
we have about certificates and their rejection during installation time
with a CAT installer.

So, strictly spoken, your request is off-topic for this list.

> I already reported this to one of our certificates specialist so we can
> check this matter from our side. Is this a problem that has been reported
> previously by any other university? (Because I found this article online)
> and it seems like a common issue:

The weaknesses of DH and the discontinuation of 1024 bit sizes is a
well-known situation in the IT industry. A few years back, almost every
web server admin had to touch his DH file to make it 2048 bits or more.
1024 DH parameters are as unsafe in a web browser context as in any
other cryptographic context, such as the TLS tunnel establishment with
EAP authentication.

I would think this problem has weathered out in the last few years as
software defaults to larger sizes since a while. As a random data point,
I looked at the FreeRADIUS 3.0.10 (October '15) cert generation Makefile
and it has 2048 bits as the DH size already.

> https://groups.google.com/forum/#!topic/appsusergroup/JjHRpfkS8kg
>
> --
> 1. What's happening?
>
> - The main problem here is the Diffie Hellman weakness, this is a
> mathematical algorithm that is used to exchange a shared secret between two
> parties (i.e.: client and server). This shared secret can then be used to
> encrypt messages between the two parties and/or authenticate networks.
>
> - With the recent wave of further SSL attacks on the tech community, Chrome
> OS and other systems are making moves to stop SSL clients from negotiating
> connections where the parameters have weak Diffie-Hellman (DH) keys.
>
> 2. Behavior:
>
> - Customers affected by this issue are reporting that they are not able to
> connect to their PEAP/EAP-xxx networks. This is most likely due to the
> fact that an appliance in their environment is using a DH key with sub-1024
> bit encryption (i.e.: radius server, vpn concentrator, etc.)
>
> 3. The workarounds given are:
>
> - Upgrading the DH parameter file to 2048 bit -or-
>
> - Use PPSK instead of EAP-xxx -or-
>
> - Update firmware on appliance
>
> 4. What I would recommend:
>
> - Contact your network administrator and certificate issuer to upgrade the
> DH parameter file to 2048 bit, this will increase your certificate quality
> and security and it will allow the connection to succeed.
>
> 5. For more details about the Diffie Hellman attacks, please visit
> https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html.

Well, glad you found that link. It explains all this in a nice way. I
suggest you do what that post recommends :-)

Greetings,

Stefan Winter

> --
>
> As for Windows Phone. Exactly what I thought.
>
> Thanks for the assistance!
>
> Regards,
> Dave
>
> -----Original Message-----
> From: Stefan Winter
> <stefan.winter AT restena.lu>
>
> Sent: vrijdag 5 oktober 2018 10:56
> To: Rozenblad, D. (Dave)
> <d.rozenblad AT ru.nl>;
>
> 'cat-users AT lists.geant.org'
>
> <cat-users AT lists.geant.org>
> Cc: Canoy, V.C.M. (Veronica)
> <v.canoy AT ru.nl>;
> Willems, T. (Tamira)
> <T.Willems AT ru.nl>;
> Pol, F.A. (Ferdinand)
> <f.pol AT ru.nl>
> Subject: Re: [[cat-users]] Eduroam CAT ChromeOS
>
> Hello,
>
>> We’ve been using Eduroam CAT as a primary Eduroam configurator for our
>> university. Unfortunately, unlike other systems ChromeOS somehow (in
>> some cases) gives us a certificate locally rejected error. Is this a
>> known issue and is there anything we can do to solve or work-around
>> this matter? The certificates (when I try to install them via
>> Settings) are giving the message ‘Already Installed’.
>
> Is the CA by any chance one that issues EV certificates? We found earlier
> that ChromeOS treats EV CAs very specially. It considers the addition of
> the same CA to the Wi-Fi store as an overwrite of its EV trust store and
> refuses to do this.
>
> If you are unsure if this is the case, or if you know it is not and want me
> to investigate further, you would need to send me a copy of the root CA
> certificate. It's fine to do that off-list.
>
>> Also I’d like to state that there’s no Windows Phone version but I
>> guess it won’t be supported or..?
>
> We put quite some effort into trying this many years ago and ran into some
> intentionally constructed walls on the OS side.
>
> And these days, all I can say is that even the manufacturer has given up on
> the platform. So this is nothing we want to sink time into any more.
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page