An open discussion list for topics related to the geteduroam service

[Chris Phillips <Chris.Phillips AT canarie.ca>]

Watching this Darren and others..

 

Since it’s a tlsv1 alert, is there interplay on the various cipher suites being negotiated within the RADIUS server to the supplicant?

What permissible ciphersuites are being made available on the RADIUS server for the negotiation and handshake (as hinted at here )

 

I’m not sure which cipher suites are minimally required for the geteduroam.app and the platforms it runs on but that could be a place to look into?

 

C

 

 

 

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> on behalf of Darren Boss <geteduroam AT lists.geant.org>
Date: Thursday, August 18, 2022 at 9:12 AM
To: Paul Dekkers <paul.dekkers AT surf.nl>, geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated

________________________________

External This email originated from outside the organization. Use caution when following links as they could open malicious web sites.
________________________________



I figured out the header issue yesterday but solved it differently with a
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
in the virtual host configuration.

The Andorid geteduroam app is able to install the wireless profile now but I'm right back to seeing this in the freeradius logs when the client attempts to authenticate to my testing eduroam ssid:

(27) eap: Expiring EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Finished EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Previous EAP request found for state 0xbac2bb39b8c6b6be, released from the list
(27) eap: Peer sent packet with method EAP TLS (13)
(27) eap: Calling submodule eap_tls to process data
(27) eap_tls: (TLS) EAP Done initial handshake
(27) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(27) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
(27) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(27) eap_tls: (TLS) Server : Need to read more data: error
(27) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
(27) eap_tls: (TLS) In Handshake Phase
(27) eap_tls: (TLS) Application data.
(27) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(27) eap_tls: ERROR: [eaptls process] = fail
(27) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(27) eap: Sending EAP Failure (code 4) ID 4 length 4
(27) eap: Failed in EAP select
(27)     [eap] = invalid
(27)   } # authenticate = invalid
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject

There was another message about problem with freeradius 3.0 so I also upgraded the freeradius packages under Rocky with the ones available at https://networkradius.com/packages/#fr32-rocky and there wasn't any change.

I simplied my radius configuration to the ones in the https://github.com/geteduroam/radius-server repo.

ca.pem is the output from "bin/get-signingca.php  radius.alliancecan.ca"

server.pem and server.key are the output from "bin/server-sign.php alliancecan.ca days_valid=1095"

Am I doing something wrong?

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, August 18, 2022 5:24 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated

Hi,
Ah, so I think you're maybe running with Apache? Apache by default filters out the Authorization: header. I believe you can add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
To your VirtualHost to pass the header to PHP.
I'm using nginx myself, and the documentation assumes lighttpd, but I can imagine you try with your favorite webserver and stumble upon this.
Regards,
Paul

On 17/08/2022 21:25, Darren Boss (via geteduroam Mailing List) wrote:
Got the response body logged via mod_security:
{
    "error": "invalid_request",
    "error_description": "Missing SERVER parameter HTTP_AUTHORIZATION"
}

This is the cause of the 400 error on the Debian vm.

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> on behalf of Jørn Åne de Jong <geteduroam AT lists.geant.org>
Sent: Wednesday, August 17, 2022 9:14 AM
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated

On 17/08/2022 14:54, Darren Boss (via geteduroam Mailing List) wrote:

I redeployed the portal on Debian 11.4 (Bullseye) but now I'm getting a error 400 on the call from the Android app to /api/eap-config/. I decided to log the Authorization header to a custom log and was able to decode it using a JWT decoder. Looks fine, sub claim is my email address (using email nameid from Azure AD). Including the decoded JWT in case it's something obvious:

{
    "__t": "access_token",
    "iat": "1660739494",
    "sub": "Darren.Boss AT alliancecan.ca",
    "realm": "alliancecan.ca",
    "scope": "eap-metadata",
    "code_challenge_method": "S256",
    "code_challenge": "LQpjYE1ZjYAC6i9OwaU3OFYUBR9-rV-X0ohvYcXpLi4",
    "client_id": "app.eduroam.geteduroam",
    "redirect_uri": "app.eduroam.geteduroam:/",
    "exp": "1676637094"
}

jwt.io is flagging the dates as invalid but they look right to me and the iat matches the date of the apache log entry.

I think the dates are supposed to be ISO strings.  I'll fix that in a
future release, but it's not really a problem since we don't need
interoperability with other solutions.

Error 400 means typically something wrong with the OAuth request.  Can
you find the answer body?  It should tell you what's wrong.

--
Jørn Åne de Jong
geteduroam