The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

["Rozenblad, D. (Dave)" <d.rozenblad AT ru.nl>]

Dear Stefan,

Seems like something we will have to look into. 

Thank you for the information and quick responses!

Regards,

Dave Rozenblad | Skilled Helpdesk | ICT Servicecentrum |Radboud Universiteit
Geert Grooteplein 41, 6525 GA Nijmegen | (024) 36 22222 |www.ru.nl/isc

Dit bericht en elke eventuele bijlage is uitsluitend bestemd voor de 
geadresseerde(n) en kan vertrouwelijke informatie bevatten. Indien u niet de 
geadresseerde bent mag u dit bericht en de bijlage niet kopiëren of aan 
derden ter inzage geven of verspreiden. U wordt verzocht de afzender hiervan 
onmiddellijk op de hoogte te stellen en het bericht te verni


-----Original Message-----
From: Stefan Winter <stefan.winter AT restena.lu> 
Sent: vrijdag 5 oktober 2018 12:54
To: Rozenblad, D. (Dave) <d.rozenblad AT ru.nl>; 'cat-users AT lists.geant.org' 
<cat-users AT lists.geant.org>
Cc: Canoy, V.C.M. (Veronica) <v.canoy AT ru.nl>; Willems, T. (Tamira) 
<T.Willems AT ru.nl>; Pol, F.A. (Ferdinand) <f.pol AT ru.nl>; Beuger, R.M. (Ron) 
<r.beuger AT ru.nl>; Graaf, A.M. van der (Arthur) <a.vandergraaf AT ru.nl>; 
Hollands, N.R.H. (Nicolette) <N.Hollands AT ru.nl>; Loonen, J.F.M.M. (Jacques) 
<j.loonen AT ru.nl>
Subject: Re: [[cat-users]] Eduroam CAT ChromeOS

Hi,

> The root certificate isn't the problem here. The main issue is that 
> chromeOS denies our radius certificate due to a too 'weak' Diffie-Hellman.

Ah. Well that is something entirely different. Here on the cat-users mailing 
list we talk about the CAT service which installs certificates and more, as a 
one-time operation before actually /using/ eduroam.

Diffie-Hellman parameters are used during the actual authentication.
They are not a property of any certificate - they are a cryptographic 
auxiliary parameter on the system, not in the certificate - and so are 
nothing a CAT installer even sees.

So, when you talked about refused certificates, I looked up known issues we 
have about certificates and their rejection during installation time with a 
CAT installer.

So, strictly spoken, your request is off-topic for this list.

> I already reported this to one of our certificates specialist so we can 
> check this matter from our side. Is this a problem that has been reported 
> previously by any other university? (Because I found this article online) 
> and it seems like a common issue:

The weaknesses of DH and the discontinuation of 1024 bit sizes is a 
well-known situation in the IT industry. A few years back, almost every web 
server admin had to touch his DH file to make it 2048 bits or more.
1024 DH parameters are as unsafe in a web browser context as in any other 
cryptographic context, such as the TLS tunnel establishment with EAP 
authentication.

I would think this problem has weathered out in the last few years as 
software defaults to larger sizes since a while. As a random data point, I 
looked at the FreeRADIUS 3.0.10 (October '15) cert generation Makefile and it 
has 2048 bits as the DH size already.

> https://groups.google.com/forum/#!topic/appsusergroup/JjHRpfkS8kg
> 
> --
> 1. What's happening?
> 
> - The main problem here is the Diffie Hellman weakness, this is a 
> mathematical algorithm that is used to exchange a shared secret between two 
> parties (i.e.: client and server). This shared secret can then be used to 
> encrypt messages between the two parties and/or authenticate networks.
> 
> - With the recent wave of further SSL attacks on the tech community, Chrome 
> OS and other systems are making moves to stop SSL clients from negotiating 
> connections where the parameters have weak Diffie-Hellman (DH) keys.
> 
> 2. Behavior:
> 
> - Customers affected by this issue are reporting that they are not 
> able to connect to their PEAP/EAP-xxx networks.  This is most likely 
> due to the fact that an appliance in their environment is using a DH 
> key with sub-1024 bit encryption (i.e.: radius server, vpn 
> concentrator, etc.)
> 
> 3. The workarounds given are:
> 
> - Upgrading the DH parameter file to 2048 bit       -or-
> 
> - Use PPSK instead of EAP-xxx                            -or-
> 
> - Update firmware on appliance
> 
> 4. What I would recommend:
> 
> - Contact your network administrator and certificate issuer to upgrade the 
> DH parameter file to 2048 bit, this will increase your certificate quality 
> and security and it will allow the connection to succeed.
> 
> 5. For more details about the Diffie Hellman attacks, please visit 
> https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html.

Well, glad you found that link. It explains all this in a nice way. I suggest 
you do what that post recommends :-)

Greetings,

Stefan Winter

> --
> 
> As for Windows Phone. Exactly what I thought.
> 
> Thanks for the assistance!
> 
> Regards,
> Dave
> 
> -----Original Message-----
> From: Stefan Winter <stefan.winter AT restena.lu>
> Sent: vrijdag 5 oktober 2018 10:56
> To: Rozenblad, D. (Dave) <d.rozenblad AT ru.nl>; 
> 'cat-users AT lists.geant.org' <cat-users AT lists.geant.org>
> Cc: Canoy, V.C.M. (Veronica) <v.canoy AT ru.nl>; Willems, T. (Tamira) 
> <T.Willems AT ru.nl>; Pol, F.A. (Ferdinand) <f.pol AT ru.nl>
> Subject: Re: [[cat-users]] Eduroam CAT ChromeOS
> 
> Hello,
> 
>> We’ve been using Eduroam CAT as a primary Eduroam configurator for 
>> our university. Unfortunately, unlike other systems ChromeOS somehow 
>> (in some cases) gives us a certificate locally rejected error. Is 
>> this a known issue and is there anything we can do to solve or 
>> work-around this matter? The certificates (when I try to install them 
>> via
>> Settings) are giving the message ‘Already Installed’.
> 
> Is the CA by any chance one that issues EV certificates? We found earlier 
> that ChromeOS treats EV CAs very specially. It considers the addition of 
> the same CA to the Wi-Fi store as an overwrite of its EV trust store and 
> refuses to do this.
> 
> If you are unsure if this is the case, or if you know it is not and want me 
> to investigate further, you would need to send me a copy of the root CA 
> certificate. It's fine to do that off-list.
> 
>> Also I’d like to state that there’s no Windows Phone version but I 
>> guess it won’t be supported or..?
> 
> We put quite some effort into trying this many years ago and ran into some 
> intentionally constructed walls on the OS side.
> 
> And these days, all I can say is that even the manufacturer has given up on 
> the platform. So this is nothing we want to sink time into any more.
> 
> Greetings,
> 
> Stefan Winter
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale 
> et de la Recherche 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the 
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> 


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche 2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's 
key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66