Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Darren Boss <Darren.Boss AT alliancecan.ca>
- To: Chris Phillips <Chris.Phillips AT canarie.ca>, Paul Dekkers <paul.dekkers AT surf.nl>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
- Subject: Re: Problem with certificates generated
- Date: Thu, 18 Aug 2022 15:15:22 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=alliancecan.ca; dmarc=pass action=none header.from=alliancecan.ca; dkim=pass header.d=alliancecan.ca; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gnWwMWMcYi5+zO80+wUpu4MOWEtk3d+dtajlvPttdl0=; b=Bvf4btYMIL7Syxq1ni/KNI2II7HFtRAlbwZsIepu54WVJmtblkBP2Ktc0dSJFBs659Ml5arZNq5jPIqxzRHHvP12A7QbGfEOjiXcavLFTtdjHktDCOPFaMj9otTL8zeuMhHqj1nME07tla5OjIeUMBQWacMEsIlOwGfR8/fEt5RUGsY+jGGy/MXHUGBojb8J/P717ZDcaTR2aHdCTlPEvl0nrhzPVv0ZUrBkwT7WFUS7YMsaTnnwxpAEe0jyrJomWYjZJ47YNd40oVU0ohEt0Knq8qIiBbOluXaxhmao/bluTcaHPJyt+dUx8hDB+TCzQ4GFwdvFZLZ2x6kOvgHB9w==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zwzilzatlvyz2SwPgipsS7DZp3qM42nOvHuEhhfEFZNHCQkK2urZjURNi1tUBX4rjWRsVvmGZTm2a2Dw39rrcbF4wQhGZa8tSJ/6lUaT2fhShIoIeXj7a3XhGONVgcF9Jkx6pRRGhGJHjrQYDhMQ+GYBEEYcUC0kN0949+qdd9+LrWomWe55I7i2INO3Rh2KHonJFDAkFxA4ocw5SnYGaEmYZ5ML0qC/NWYvtx/arjf2CbafGXpDPZgBffjDcHhPaX/VBgpdKVi+QuOhD4bQTfYrY9AxYpSQa8k/roAeJqlpcD5xtFMh5ikqgBIXV5AEdmfUrFT7dDz+dJR49eHxVg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=alliancecan.ca;
- Msip_labels:
I currently have cipher_list = "DEFAULT" set in mods-available/eap.
Output of openssl from the vm that freeradius is running on:
openssl ciphers -s -v 'DEFAULT'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any
Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
I also corrected this:
bin/server-sign.php alliancecan.ca days_valid=1095
which puts days_valid in the subject. I've created my server cert using and
replaced them on the radius server:
bin/server-sign.php alliancecan.ca radius.alliancecan.ca
From: Chris Phillips <Chris.Phillips AT canarie.ca>
Sent: Thursday, August 18, 2022 10:49 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; Paul Dekkers
<paul.dekkers AT surf.nl>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
You don't often get email from chris.phillips AT canarie.ca. Learn why this is
important
Watching this Darren and others..
Since it’s a tlsv1 alert, is there interplay on the various cipher suites
being negotiated within the RADIUS server to the supplicant?
What permissible ciphersuites are being made available on the RADIUS server
for the negotiation and handshake (as hinted at here )
I’m not sure which cipher suites are minimally required for the
geteduroam.app and the platforms it runs on but that could be a place to look
into?
C
From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Darren Boss <geteduroam AT lists.geant.org>
Date: Thursday, August 18, 2022 at 9:12 AM
To: Paul Dekkers <paul.dekkers AT surf.nl>, geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
________________________________
External This email originated from outside the organization. Use caution
when following links as they could open malicious web sites.
________________________________
I figured out the header issue yesterday but solved it differently with a
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
in the virtual host configuration.
The Andorid geteduroam app is able to install the wireless profile now but
I'm right back to seeing this in the freeradius logs when the client attempts
to authenticate to my testing eduroam ssid:
(27) eap: Expiring EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Finished EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Previous EAP request found for state 0xbac2bb39b8c6b6be, released
from the list
(27) eap: Peer sent packet with method EAP TLS (13)
(27) eap: Calling submodule eap_tls to process data
(27) eap_tls: (TLS) EAP Done initial handshake
(27) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(27) eap_tls: (TLS) The client is informing us that there is a failure inside
the TLS protocol exchange.
(27) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(27) eap_tls: (TLS) Server : Need to read more data: error
(27) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
(27) eap_tls: (TLS) In Handshake Phase
(27) eap_tls: (TLS) Application data.
(27) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(27) eap_tls: ERROR: [eaptls process] = fail
(27) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(27) eap: Sending EAP Failure (code 4) ID 4 length 4
(27) eap: Failed in EAP select
(27) [eap] = invalid
(27) } # authenticate = invalid
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject
There was another message about problem with freeradius 3.0 so I also
upgraded the freeradius packages under Rocky with the ones available at
https://networkradius.com/packages/#fr32-rocky and there wasn't any change.
I simplied my radius configuration to the ones in the
https://github.com/geteduroam/radius-server repo.
ca.pem is the output from "bin/get-signingca.php radius.alliancecan.ca"
server.pem and server.key are the output from "bin/server-sign.php
alliancecan.ca days_valid=1095"
Am I doing something wrong?
From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, August 18, 2022 5:24 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
Hi,
Ah, so I think you're maybe running with Apache? Apache by default filters
out the Authorization: header. I believe you can add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
To your VirtualHost to pass the header to PHP.
I'm using nginx myself, and the documentation assumes lighttpd, but I can
imagine you try with your favorite webserver and stumble upon this.
Regards,
Paul
On 17/08/2022 21:25, Darren Boss (via geteduroam Mailing List) wrote:
Got the response body logged via mod_security:
{
"error": "invalid_request",
"error_description": "Missing SERVER parameter HTTP_AUTHORIZATION"
}
This is the cause of the 400 error on the Debian vm.
From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Jørn Åne de Jong <geteduroam AT lists.geant.org>
Sent: Wednesday, August 17, 2022 9:14 AM
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated
On 17/08/2022 14:54, Darren Boss (via geteduroam Mailing List) wrote:
I redeployed the portal on Debian 11.4 (Bullseye) but now I'm getting a error
400 on the call from the Android app to /api/eap-config/. I decided to log
the Authorization header to a custom log and was able to decode it using a
JWT decoder. Looks fine, sub claim is my email address (using email nameid
from Azure AD). Including the decoded JWT in case it's something obvious:
{
"__t": "access_token",
"iat": "1660739494",
"sub": "Darren.Boss AT alliancecan.ca",
"realm": "alliancecan.ca",
"scope": "eap-metadata",
"code_challenge_method": "S256",
"code_challenge": "LQpjYE1ZjYAC6i9OwaU3OFYUBR9-rV-X0ohvYcXpLi4",
"client_id": "app.eduroam.geteduroam",
"redirect_uri": "app.eduroam.geteduroam:/",
"exp": "1676637094"
}
jwt.io is flagging the dates as invalid but they look right to me and the iat
matches the date of the apache log entry.
I think the dates are supposed to be ISO strings. I'll fix that in a
future release, but it's not really a problem since we don't need
interoperability with other solutions.
Error 400 means typically something wrong with the OAuth request. Can
you find the answer body? It should tell you what's wrong.
--
Jørn Åne de Jong
geteduroam
- Re: Problem with certificates generated, (continued)
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Hideaki GOTO, 08/17/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/17/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Chris Phillips, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/22/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/22/2022
- Re: Problem with certificates generated, Darren Boss, 08/23/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/16/2022
- Re: Problem with certificates generated, Darren Boss, 08/16/2022
Archive powered by MHonArc 2.6.19.