An open discussion list for topics related to the geteduroam service

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

Ok, so I suspect the issue you're seeing that is fixable with the -legacy flag is only on your local system; yet we don't currently configure a passphrase for the .pkcs12 files that are manually downloaded so I didn't expect you to have that problem on manual downloaded certificates. If you extracted the pkcs12 payload from the .eap-config, this makes more sense.

Android 12 and Pixel 6 should just work; at least I just used Android 12 on a Pixel 5 a couple of times today and that worked ;-)

We need to look at generating a pkcs12 with a supported algorithm for end-user devices with OpenSSL 3; but I don't expect your Android phone has that already unless that's pushed to a very recent Android 12 update? (Feel free to suggest a fix ;-) The fix may actually also be to run the server on an OpenSSL 3 server maybe, hmm. Like Ubuntu 22.04.)

If you want to rule things out, I can give you a test-account at a demo instance (running Debian) so you can test if it happens there or is something related to your local letswifi-ca deployment? (Send me a private mail if you want to try that.)

Regards,

Paul

On 16/08/2022 18:01, Darren Boss wrote:

YT1PR01MB9435272292E2A4452DDB6695966B9 AT YT1PR01MB9435.CANPRD01.PROD.OUTLOOK.COM"> On the Rocky 8.6 vm:
OpenSSL 1.1.1k  FIPS 25 Mar 2021

On my local system (Fedora 36) where I'm running openssl to inspect the certs/keys: OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

Android version is 12 on a Pixel 6

 

Darren Boss (he/him)

Senior Programmer | Développeur Sénior

 

 

     343-341-2323

---

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Tuesday, August 16, 2022 11:56 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>
Cc: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated

 

You don't often get email from paul.dekkers AT surf.nl. Learn why this is important

Hi,

What version of OpenSSL does your Rocky server run, and what version of Android are you testing with?

Regards,

Paul

On 16/08/2022 17:12, Darren Boss (via geteduroam Mailing List) wrote:

I've been able to setup the portal app without too much trouble but while testing with Android it wasn't working and I started looking closely at the assets downloaded manually from the portal. The PKCS12 button generates a file that when I try inspecting with openssl, shows this error:
Error outputting keys and certificates
401C6D75A67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

When using the -legacy flag, I can convert the format and even get my profile working with a Linux laptop and our appropriately configured freeradius server.
The certs in the mobileconfig are using this cipher as well if I copy out the base64 encoded string, decode, and inspect with openssl from the command line.
The vm running the portal app is running Rocky 8.6 and PHP 7.4 from the Rocky repos. Is the error I see in the manual downloads unusual? Any tips for doing further debugging or thoughts about what I'm seeing? I'm thinking of deploying on a Debian based vm just to see if the behavior is different.

Darren Boss (he/him)

Senior Developer | Développeur Senior

 

darren.boss AT alliancecan.ca

 

343-341-2323

 

0000-0001-7588-9500

alliancecan.ca