Skip to Content.

cat-users - Re: [[cat-users]] Ubuntu Linux fails to verify server certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive


Re: [[cat-users]] Ubuntu Linux fails to verify server certificate


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Per Mejdal Rasmussen <pmr AT its.aau.dk>, cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Ubuntu Linux fails to verify server certificate
  • Date: Mon, 2 Sep 2019 09:45:16 +0200
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= mQINBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABtDxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT6JAjkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8bkCDQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAYkCHwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,

> I would like to report a problem with the installer for Ubuntu.
>
> Ubuntu Linux fails to verify the authentication server's certificate.
> Because it is altsubject, not CN that is validated.

Yes, it validates the subjectAltName:DNS, not the CN. That is intentional.

> This not only an issue if the certificate does not have altsubject.

You meant to write "This *is* only an issue ..."?

That would be true.

> The problem is that when /etc/NetworkManager/system-connections/eduroam
> is generated this line is added:
>
> altsubject-matches=DNS:wifi.aau.dk;
>
> It should have been:
>
> domain_match=wifi.aau.dk
>
> However the version of wpa_supplicant that comes with Ubuntu does not
> support that, and will ignore the line.

Well if your Linux distribution does not support that parameter, then it
is actually good that our installers don't try to set it, right?

You may want to file a bug report to Ubuntu to include a new version of
wpa_supplicant this new parameter recognised (at least
wpa_supplicant-2.8 supports it). You would also need to lobby
NetworkManager folks to create a new API method for it. The most recent
version supports domain-suffix-match but not domain-match
(https://developer.gnome.org/NetworkManager/stable/settings-802-1x.html)
[alternatively, one could settle for using domain-suffix-match]

Only when that supporting lower-layer infrastructure is available, our
installers can make use of that.

There is a reason why eduroam has a page with EAP server certificate
recommendations. They state that for maxmimum compatibility,
certificates should have CN and at least one sAN:DNS and that the value
in CN should also also be one of those sAN:DNS values.

We don't recommend this only for Linux reasons. The EAP method
specifications are not at all clear which field has precedence over
which other, and which need to be present. So the safest thing to do is
to make sure that the correct string is present in both variants.

Don't get me wrong: I do see that domain_match is superior to
altsubject_match because it provides a fallback. And both of these two
are superior to the subject_match we were forced to use years ago when
nothing else was available.

But we can't move on to this newest and more compatible way of
configuring unless all the distributions we care about actually ship
with code supporting it.

And until then I'm afraid the solution is to have a certificate with a
CN=subjectAltName.DNS .

Greetings,

Stefan Winter

> You can see below why I came to this conclusion:
>
>
> Ubuntu 19.04
> ------------
> When I fist run the installation I get this error in my FreeRadius log:
>
> Login incorrect (eap_peap: TLS Alert read:fatal:internal error)
>
> It then works if I in Ubuntu go to "Wi-Fi > Visible networks > eduroam",
> change nothing, and click apply.
>
> After further investigation I found that 4 lines get removed from
> /etc/NetworkManager/system-connections/eduroam.nmconnection when I click
> apply.
>
> The line that caused the problem was altsubject-matches=DNS:wifi.aau.dk;
>
> The CN of the radius server certificate is wifi.aau.dk. Both iOS, MacOS
> and Windows performs this check without problems.
>
>
> Ubuntu 18.04
> ------------
> Radius log is slightly different:
>
> Login incorrect (eap_peap: TLS Alert read:fatal:certificate unknown)
>
> Context of syslog
> TLS: altSubjectName match 'DNS:wifi.aau.dk' not found
> wlp2s0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=6 depth=0
> subject='/C=DK/ST=Denmark/O=Aalborg Universitet/OU=IT
> Services/CN=wifi.aau.dk' err='AltSubject mismatch'
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


  • Re: [[cat-users]] Ubuntu Linux fails to verify server certificate, Stefan Winter, 09/02/2019

Archive powered by MHonArc 2.6.19.

Top of Page