Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Darren Boss <Darren.Boss AT alliancecan.ca>
- To: Paul Dekkers <paul.dekkers AT surf.nl>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
- Subject: Re: Problem with certificates generated
- Date: Thu, 18 Aug 2022 13:10:41 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=alliancecan.ca; dmarc=pass action=none header.from=alliancecan.ca; dkim=pass header.d=alliancecan.ca; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yze2WGUC6bUuz7TVXQ2w9yk5RuOhywoYQq5XwAZalZY=; b=AbArLFGYVHqn5h+opoa1MU7Q0WicjCkiOUQPuDWVX9Aki6/4nCb+ylpR7MTtB4LkEmTeQ9akMKcFnBmXisbasJ++xE42/PeMkMkUqf25uwJIsId/v79qQlRxrnlwaSg3nuJqWNJA2orh//XC764v5B9/2P83UGTQgDXoRLgpv6wksTg2REy+ZEiJ2uz/jsAI8Q1vSEraB0hEcJdhx5v6ndi8UE9x9UcURE9Dc7yVPspwNCC6fdfEbjCx8W4dUPXRkFVT3THceoaRPclFiUYms5N5EeJE0G4EjS7s5uRUh2BO8lMjLKcOj8eD12q5E5N7fo+gW0tzHIWm7rVQVJrhIA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mawbjtRQ47wZGvikG47VMkddICkrAaAZzXXUGSim1hoCofls8/hZGRKYx76HrGYBuBAIdlYQO7Ok2u4FAj0zo5XwF+0EwnDv/O2kIQoi+i4x80801dNMFlvFezaO8I4Ib7VPSFUrnffFV9wNCJ9m497qpMmnVKzL6cwe0t5qf4ccO8mNhY/s8iuQXBMQe1MjNoQPvcOi30/Oul5k2DbNwkLQEfr9cZZPBMcVq+W4lCb8nOn/3yZiJEwOXfkIE0nvEJ4ktscfsBsvTZ7uuGHs5BXDeu83Vi+DLrKsd7Z7cDta0k+QTMKJi3Y92Md24iL5Zd+1t7ORYnlPWJOEQckhzg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=alliancecan.ca;
- Msip_labels:
I figured out the header issue yesterday but solved it differently with a
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
in the virtual host configuration.
The Andorid geteduroam app is able to install the wireless profile now but
I'm right back to seeing this in the freeradius logs when the client attempts
to authenticate to my testing eduroam ssid:
(27) eap: Expiring EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Finished EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Previous EAP request found for state 0xbac2bb39b8c6b6be, released
from the list
(27) eap: Peer sent packet with method EAP TLS (13)
(27) eap: Calling submodule eap_tls to process data
(27) eap_tls: (TLS) EAP Done initial handshake
(27) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(27) eap_tls: (TLS) The client is informing us that there is a failure inside
the TLS protocol exchange.
(27) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(27) eap_tls: (TLS) Server : Need to read more data: error
(27) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
(27) eap_tls: (TLS) In Handshake Phase
(27) eap_tls: (TLS) Application data.
(27) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(27) eap_tls: ERROR: [eaptls process] = fail
(27) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(27) eap: Sending EAP Failure (code 4) ID 4 length 4
(27) eap: Failed in EAP select
(27) [eap] = invalid
(27) } # authenticate = invalid
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject
There was another message about problem with freeradius 3.0 so I also
upgraded the freeradius packages under Rocky with the ones available at
https://networkradius.com/packages/#fr32-rocky and there wasn't any change.
I simplied my radius configuration to the ones in the
https://github.com/geteduroam/radius-server repo.
ca.pem is the output from "bin/get-signingca.php radius.alliancecan.ca"
server.pem and server.key are the output from "bin/server-sign.php
alliancecan.ca days_valid=1095"
Am I doing something wrong?
From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, August 18, 2022 5:24 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
Hi,
Ah, so I think you're maybe running with Apache? Apache by default filters
out the Authorization: header. I believe you can add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
To your VirtualHost to pass the header to PHP.
I'm using nginx myself, and the documentation assumes lighttpd, but I can
imagine you try with your favorite webserver and stumble upon this.
Regards,
Paul
On 17/08/2022 21:25, Darren Boss (via geteduroam Mailing List) wrote:
Got the response body logged via mod_security:
{
"error": "invalid_request",
"error_description": "Missing SERVER parameter HTTP_AUTHORIZATION"
}
This is the cause of the 400 error on the Debian vm.
From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Jørn Åne de Jong <geteduroam AT lists.geant.org>
Sent: Wednesday, August 17, 2022 9:14 AM
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated
On 17/08/2022 14:54, Darren Boss (via geteduroam Mailing List) wrote:
I redeployed the portal on Debian 11.4 (Bullseye) but now I'm getting a error
400 on the call from the Android app to /api/eap-config/. I decided to log
the Authorization header to a custom log and was able to decode it using a
JWT decoder. Looks fine, sub claim is my email address (using email nameid
from Azure AD). Including the decoded JWT in case it's something obvious:
{
"__t": "access_token",
"iat": "1660739494",
"sub": "Darren.Boss AT alliancecan.ca",
"realm": "alliancecan.ca",
"scope": "eap-metadata",
"code_challenge_method": "S256",
"code_challenge": "LQpjYE1ZjYAC6i9OwaU3OFYUBR9-rV-X0ohvYcXpLi4",
"client_id": "app.eduroam.geteduroam",
"redirect_uri": "app.eduroam.geteduroam:/",
"exp": "1676637094"
}
jwt.io is flagging the dates as invalid but they look right to me and the iat
matches the date of the apache log entry.
I think the dates are supposed to be ISO strings. I'll fix that in a
future release, but it's not really a problem since we don't need
interoperability with other solutions.
Error 400 means typically something wrong with the OAuth request. Can
you find the answer body? It should tell you what's wrong.
--
Jørn Åne de Jong
geteduroam
- Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Hideaki GOTO, 08/17/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/17/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Chris Phillips, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/22/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/22/2022
- Re: Problem with certificates generated, Darren Boss, 08/23/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
Archive powered by MHonArc 2.6.19.