Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Darren Boss <Darren.Boss AT alliancecan.ca>
- To: Jørn Åne de Jong <jornane.dejong AT surf.nl>, Chris Phillips <Chris.Phillips AT canarie.ca>, Paul Dekkers <paul.dekkers AT surf.nl>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
- Subject: Re: Problem with certificates generated
- Date: Tue, 23 Aug 2022 02:34:57 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=alliancecan.ca; dmarc=pass action=none header.from=alliancecan.ca; dkim=pass header.d=alliancecan.ca; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h5qX9cxJsqg0c82XSZSLDtQBcI0II8h/AI4eHxlaEGQ=; b=M3SJGGRzyNrQG8LZfcP1ZJMinAwIeEcZwOUNOtY7q0LeLh6wePTEjABslrvd2yK0tjV0LWBThBNA6stU8quxNgkQp0d3Rb9p90FaUMCk8KuwfnFFVo4lODBZi6T+YpUNufEe3TeGRmA89Hu/bKTQMOAbS6S0BD9wlP9WaKoKX/6NUlXfsKUkL35hlwy2S3ZiU2ahpP01+oBPryp6/w/PKD1hi002NNuWgwLGcKf+5//K6kaH94frLBtR399XNmXBOvmUoiwir4jWlZ7u/IW4RamBzEL4/918xDyyotO/xRaCACSFRfGkP/eAvti+6LAuqv/3NL0PmaLXVQ5RmvosKQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ko4EmOi6B2Ex3qy6pX5Q704tGzdsOxnpnsbt6YagakB50+iT5r2i9+o6DP9P3XG8suzhtPIfOTFgEHeZIYlKZJ4+WrRmCXCXLvfhux1bkiHaq8EOToEwu9Y6gmZZoQbsnFNxrS8xKWbFY7lelhBxnyJ1PcBLOaNUbkNEzyzx7zVCU6MITiM48LPStkfoDML28ONE136NXxBRU/z/0pbOfCyaW643POySGoKiM5N2lzmOzDO0Csbk8AYmXJ0CdZyJd/BrNMduyWcAXwGLzXtLh7L7JotXsF2iP27tr36x1rLUI7yl4s8yRvmvVoAKJxlm1jUt8mSXjiqf7Injc/4knA==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=alliancecan.ca;
- Msip_labels:
After I created a new server cert with the following command
bin/server-sign.php alliancecan.ca radius.alliancecan.ca
it's working now from MacOS and my Pixel6 running the beta version of
geteduroam. I was able to test under Android 12 and 13 as I was able to
upgrade today. My co-worker said his older Pixel 4 was not able to connect.
Older iPad was dusted off and worked as well. It sounds like if I create the
CA correctly (SAN gets set correctly) and import that in I should be good?
I think I'm close to having a usable setup at this point. Thanks for the
suggestions and explanations.
Does anyone have any tips of getting more information from clients like
Android and IOS devices when there are problems? The MacOS logs told us
exactly what was wrong when connecting.
From: Jørn Åne de Jong <jornane.dejong AT surf.nl>
Sent: Monday, August 22, 2022 4:23 PM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; Chris Phillips
<Chris.Phillips AT canarie.ca>; Paul Dekkers <paul.dekkers AT surf.nl>;
geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>; Jørn Åne de Jong
<jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated
On 22/08/2022 21:06, Darren Boss wrote:
> Getting to the heart of the issue now. My co-worker saw this message in his
> MacOS logs while connecting:
> SecTrustEvaluateWithError failed, Error Domain=NSOSStatusErrorDomain
> Code=-67602 ""alliancecan.ca" certificate name does not match input"
> UserInfo={NSLocalizedDescription="alliancecan.ca" certificate name does not
> match input, NSUnderlyingError=0x7fd1f95053e0 {Error
> Domain=NSOSStatusErrorDomain Code=-67602 "Certificate 0 "alliancecan.ca"
> has errors: Trusted EAP hostname does not match name(s) in certificate;"
> UserInfo={NSLocalizedDescription=Certificate 0 "alliancecan.ca" has errors:
> Trusted EAP hostname does not match name(s) in certificate;}}}
>
> I'm not creating the server certificate correctly is how I read this. I'm
> confused about how I would determine what the Trusted EAP hostname would
> even be.
>
[…]
>
> I also corrected this:
> bin/server-sign.php alliancecan.ca days_valid=1095
> which puts days_valid in the subject. I've created my server cert using and
> replaced them on the radius server:
> bin/server-sign.php alliancecan.ca radius.alliancecan.ca
I see two possible problems here:
1) Since about a year, Apple prohibits certificate lifetimes [1].
Publicly trusted certificates must now be valid for 398 days or less,
and privately trusted certificates (such as with your own RADIUS server)
must be valid for 825 days or less.
In the link I sent, it's unclear whether the 825 days limit is enforced,
but from testing I can confirm that it is. I will update the
documentation and default values in the project as well.
2) I noticed that, when using the built-in CA, no sAN is set for the CA
or the certificates. The current Android app might have an issue with
that, but it should work on the other platforms. Recommend using a
public certificate, or wait until I've patched this (may take a week or
two).
[1] https://discussions.apple.com/thread/251323073
- Re: Problem with certificates generated, (continued)
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Hideaki GOTO, 08/17/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/17/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
- Re: Problem with certificates generated, Paul Dekkers, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Chris Phillips, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/18/2022
- Re: Problem with certificates generated, Darren Boss, 08/22/2022
- Re: Problem with certificates generated, Jørn Åne de Jong, 08/22/2022
- Re: Problem with certificates generated, Darren Boss, 08/23/2022
- Re: Problem with certificates generated, Darren Boss, 08/17/2022
Archive powered by MHonArc 2.6.19.