geteduroam - Re: Problem with certificates generated

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: Problem with certificates generated

From: Darren Boss <Darren.Boss AT alliancecan.ca>
To: Chris Phillips <Chris.Phillips AT canarie.ca>, Paul Dekkers <paul.dekkers AT surf.nl>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
Date: Mon, 22 Aug 2022 19:06:59 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=alliancecan.ca; dmarc=pass action=none header.from=alliancecan.ca; dkim=pass header.d=alliancecan.ca; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X8XB9zcM7o7ejYBbKUQzgSKuvpDIVKcBLEeAGh8r3dY=; b=hqDbtegs9fWlFXfAlzDfEZyL+ZkJLfLDaEfq5E4A6OcXQv0LzYYXop+sS6WXTaw3G2eOmjL9fmofenmP4SCBAbzXf5hCrn+4SJc0gvesru4KVOiqaxI7A+ZNRD/B3gBey4t7ErRsTGKfNtQCVxpFtGjwSnNplZ18DnB6Tuc/tkrxATwM5eiijUnXFNtuLGo+wGk5OhsbDqs42Jhg/ijXfHzFtOJL04ZAeFDKkIyXlFkfEyypkBff8j3TRTtCaFf5hbEvql3RKLdrYiRC6z9K5zmtiQ9LWtQiQUshw3pV9rvbjqJ3Vgd70sX4V2+4FD9bh1r2qWHf2ys/MY/41YeMhA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RJ4ENuvCmel1Aeh6RTtVzk0jgah3SgPv7BmLRQ1WfdTqcSzMBYL0u1KLwoVy/wD59kuRTr00yfINP9pGh0K0oAM7X/OwnesgxK82rMHvIBICggWRotl73Cp13rxdLiOJdLbkb7rspEPj+GPNy8trtUPBlpwTHU+ZB8alfWboRwbCgVlCBDDBuFN3F0jgBj98sENSbR9+t/uU5itwyOxkcGt4vspsjawaM2vmj3vmxw0Ga37f91m+NBFgRWszuB1F7N3OZIplALVi4mlh3YKjZCak6en1mSBfQK5faYU6setxEf+EGkEkCinI2M0BKyIPMShzSfpwp7DFvJH8aVacpA==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=alliancecan.ca;
Msip_labels:

Getting to the heart of the issue now. My co-worker saw this message in his
MacOS logs while connecting:
SecTrustEvaluateWithError failed, Error Domain=NSOSStatusErrorDomain
Code=-67602 ""alliancecan.ca" certificate name does not match input"
UserInfo={NSLocalizedDescription="alliancecan.ca" certificate name does not
match input, NSUnderlyingError=0x7fd1f95053e0 {Error
Domain=NSOSStatusErrorDomain Code=-67602 "Certificate 0 "alliancecan.ca" has
errors: Trusted EAP hostname does not match name(s) in certificate;"
UserInfo={NSLocalizedDescription=Certificate 0 "alliancecan.ca" has errors:
Trusted EAP hostname does not match name(s) in certificate;}}}

I'm not creating the server certificate correctly is how I read this. I'm
confused about how I would determine what the Trusted EAP hostname would even
be.

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Darren Boss <geteduroam AT lists.geant.org>
Sent: Thursday, August 18, 2022 11:15 AM
To: Chris Phillips <Chris.Phillips AT canarie.ca>; Paul Dekkers
<paul.dekkers AT surf.nl>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated

I currently have cipher_list = "DEFAULT" set in mods-available/eap.

Output of openssl from the vm that freeradius is running on:
openssl ciphers -s -v 'DEFAULT'
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any
Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

I also corrected this:
bin/server-sign.php alliancecan.ca days_valid=1095
which puts days_valid in the subject. I've created my server cert using and
replaced them on the radius server:
bin/server-sign.php alliancecan.ca radius.alliancecan.ca

From: Chris Phillips <Chris.Phillips AT canarie.ca>
Sent: Thursday, August 18, 2022 10:49 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; Paul Dekkers
<paul.dekkers AT surf.nl>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated

You don't often get email from chris.phillips AT canarie.ca. Learn why this is
important

Watching this Darren and others..

Since it’s a tlsv1 alert, is there interplay on the various cipher suites
being negotiated within the RADIUS server to the supplicant?
What permissible ciphersuites are being made available on the RADIUS server
for the negotiation and handshake (as hinted at here )

I’m not sure which cipher suites are minimally required for the
geteduroam.app and the platforms it runs on but that could be a place to look
into?

C

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Darren Boss <geteduroam AT lists.geant.org>
Date: Thursday, August 18, 2022 at 9:12 AM
To: Paul Dekkers <paul.dekkers AT surf.nl>, geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
________________________________

External This email originated from outside the organization. Use caution
when following links as they could open malicious web sites.
________________________________

I figured out the header issue yesterday but solved it differently with a
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
in the virtual host configuration.

The Andorid geteduroam app is able to install the wireless profile now but
I'm right back to seeing this in the freeradius logs when the client attempts
to authenticate to my testing eduroam ssid:

(27) eap: Expiring EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Finished EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Previous EAP request found for state 0xbac2bb39b8c6b6be, released
from the list
(27) eap: Peer sent packet with method EAP TLS (13)
(27) eap: Calling submodule eap_tls to process data
(27) eap_tls: (TLS) EAP Done initial handshake
(27) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(27) eap_tls: (TLS) The client is informing us that there is a failure inside
the TLS protocol exchange.
(27) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(27) eap_tls: (TLS) Server : Need to read more data: error
(27) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
(27) eap_tls: (TLS) In Handshake Phase
(27) eap_tls: (TLS) Application data.
(27) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(27) eap_tls: ERROR: [eaptls process] = fail
(27) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed
(27) eap: Sending EAP Failure (code 4) ID 4 length 4
(27) eap: Failed in EAP select
(27)     [eap] = invalid
(27)   } # authenticate = invalid
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject

There was another message about problem with freeradius 3.0 so I also
upgraded the freeradius packages under Rocky with the ones available at
https://networkradius.com/packages/#fr32-rocky and there wasn't any change.

I simplied my radius configuration to the ones in the
https://github.com/geteduroam/radius-server repo.

ca.pem is the output from "bin/get-signingca.php radius.alliancecan.ca"

server.pem and server.key are the output from "bin/server-sign.php
alliancecan.ca days_valid=1095"

Am I doing something wrong?

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, August 18, 2022 5:24 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; geteduroam AT lists.geant.org
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated

Hi,
Ah, so I think you're maybe running with Apache? Apache by default filters
out the Authorization: header. I believe you can add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
To your VirtualHost to pass the header to PHP.
I'm using nginx myself, and the documentation assumes lighttpd, but I can
imagine you try with your favorite webserver and stumble upon this.
Regards,
Paul

On 17/08/2022 21:25, Darren Boss (via geteduroam Mailing List) wrote:
Got the response body logged via mod_security:
{
    "error": "invalid_request",
    "error_description": "Missing SERVER parameter HTTP_AUTHORIZATION"
}

This is the cause of the 400 error on the Debian vm.

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org>
on behalf of Jørn Åne de Jong <geteduroam AT lists.geant.org>
Sent: Wednesday, August 17, 2022 9:14 AM
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated

On 17/08/2022 14:54, Darren Boss (via geteduroam Mailing List) wrote:

I redeployed the portal on Debian 11.4 (Bullseye) but now I'm getting a error
400 on the call from the Android app to /api/eap-config/. I decided to log
the Authorization header to a custom log and was able to decode it using a
JWT decoder. Looks fine, sub claim is my email address (using email nameid
from Azure AD). Including the decoded JWT in case it's something obvious:

{
    "__t": "access_token",
    "iat": "1660739494",
    "sub": "Darren.Boss AT alliancecan.ca",
    "realm": "alliancecan.ca",
    "scope": "eap-metadata",
    "code_challenge_method": "S256",
    "code_challenge": "LQpjYE1ZjYAC6i9OwaU3OFYUBR9-rV-X0ohvYcXpLi4",
    "client_id": "app.eduroam.geteduroam",
    "redirect_uri": "app.eduroam.geteduroam:/",
    "exp": "1676637094"
}

jwt.io is flagging the dates as invalid but they look right to me and the iat
matches the date of the apache log entry.

I think the dates are supposed to be ISO strings. I'll fix that in a
future release, but it's not really a problem since we don't need
interoperability with other solutions.

Error 400 means typically something wrong with the OAuth request. Can
you find the answer body? It should tell you what's wrong.

--
Jørn Åne de Jong
geteduroam

Re: Problem with certificates generated, (continued)

List archive

Re: Problem with certificates generated