Skip to Content.

geteduroam - Re: Problem with certificates generated

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: Problem with certificates generated


Chronological Thread 
    < Chronological >      < Thread >
  • From: Jørn Åne de Jong <jornane.dejong AT surf.nl>
  • To: Darren Boss <Darren.Boss AT alliancecan.ca>, Chris Phillips <Chris.Phillips AT canarie.ca>, Paul Dekkers <paul.dekkers AT surf.nl>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>, Jørn Åne de Jong <jornane.dejong AT surf.nl>
  • Subject: Re: Problem with certificates generated
  • Date: Mon, 22 Aug 2022 22:23:34 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ILKC41VeF/iSAi/lHlmpBObTfiUUyhRTUDfyGNhf7kA=; b=f6a7x3Aqo6Rz28nasPYuOgcHLFk5BfUOwTX3Qoj4e+comzCeqSVCRDdq2BBGh0DHysU1rKT+HoS4QtqY6WNau5pMuklcrwYqUxxC7fRHoa04IQUuuiIK7nUd90UL9Bdoezxjnq/cQICcAhBTUvI6DrUx8Kma1oWwy2ctCIdZvqaDXpuRHyfd2ysH8EycJLCpLw+Bv2HLih18mReBBNM4Z9NZu12sOXpZI1Bv0IcXEBAohQlRoBujhBOC/MApnB6zU4tzBzlr5OybXhIuF77zfsT/6/51PcGcbgbCHqwat69sH2p8VCWYbE82I/76UwrCrxLyM5J/AU34gSJxP0B/cg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UluO1zzfFF/tutC3YIiAwhyl6WgQiqJ5CiQ9zbRVpgF+G5eJNKHtRnOBXERHaPbJHxtR45wT/hrqFaJrCEbok9IKEhKiNNQ6cRy02FB4pr+lSyNNPeZfqh0m5Mp/8Xwe6IJXZyv1Kg6jNVzzAyVm7TsmO6PyWJv3Se79M1jWq3KunV4Bc856cEZt5mh/sJyxtLvdO5tpi1UO16WX4E15FfD49m6ScOincs3RvXB+6eMqCabfOQYBJUgsozRZTvbfhu5hnSygPB+uQW232tvjLHJ6czgh3t/owWYtbSg4jAIVKHhbEa7zFV3Y5zmKoE7G3Sy4cboulj8CE8vwPcABLQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=surf.nl;
On 22/08/2022 21:06, Darren Boss wrote:
Getting to the heart of the issue now. My co-worker saw this message in his
MacOS logs while connecting:
SecTrustEvaluateWithError failed, Error Domain=NSOSStatusErrorDomain Code=-67602 ""alliancecan.ca" certificate name does
not match input" UserInfo={NSLocalizedDescription="alliancecan.ca" certificate name does not match input,
NSUnderlyingError=0x7fd1f95053e0 {Error Domain=NSOSStatusErrorDomain Code=-67602 "Certificate 0 "alliancecan.ca" has
errors: Trusted EAP hostname does not match name(s) in certificate;" UserInfo={NSLocalizedDescription=Certificate 0
"alliancecan.ca" has errors: Trusted EAP hostname does not match name(s) in certificate;}}}

I'm not creating the server certificate correctly is how I read this. I'm
confused about how I would determine what the Trusted EAP hostname would even
be.

[…]

I also corrected this:
bin/server-sign.php alliancecan.ca days_valid=1095
which puts days_valid in the subject. I've created my server cert using and
replaced them on the radius server:
bin/server-sign.php alliancecan.ca radius.alliancecan.ca

I see two possible problems here:

1) Since about a year, Apple prohibits certificate lifetimes [1].
Publicly trusted certificates must now be valid for 398 days or less, and privately trusted certificates (such as with your own RADIUS server) must be valid for 825 days or less.
In the link I sent, it's unclear whether the 825 days limit is enforced, but from testing I can confirm that it is. I will update the documentation and default values in the project as well.

2) I noticed that, when using the built-in CA, no sAN is set for the CA or the certificates. The current Android app might have an issue with that, but it should work on the other platforms. Recommend using a public certificate, or wait until I've patched this (may take a week or two).

[1] https://discussions.apple.com/thread/251323073


Archive powered by MHonArc 2.6.19.

Top of Page