default certificates: add a useless CRL distribution point?

Phil Mayers p.mayers at imperial.ac.uk
Sat May 25 23:47:44 CEST 2013


On 25/05/2013 20:56, Stefan Winter wrote:
> Hi,
>
> the bootstrap script adds EKU "TLS Web Server" because that makes most
> of the Windows editions happy.
>
> Folks in eduroam have now discovered something ... odd ... with Windows
> Phone 8.
>
> It requires that the *server* certificate that comes in during EAP
> contains the "CRL Distribution Point" extension.

Oh FFS...

>
> This is rather useless of course, because the client can't actually
> consult the CRL because he has no network while he's trying to
> authenticate. As an effect of that, it does not matter at all whether
> the URL in the CDP extension actually serves a CRL. It's just an extra
> annoyance to be aware of.

Are you sure about that? What if the client tries to check the CRL once 
it *has* a connection and fails? Will Windows 8Phone eventually decide 
the CA is to be untrusted?

That would obviously be pretty disastrous for "fake" CAs; but the 
Microsoft cert stuff does some funny things.

> I'm wondering: should the bootstrap scripts add a CDP pointing to a
> non-existing URL? It would improve the compatibility with these devices.
> It would make the certs look stranger though, as that is just added
> junk. Maybe a URL like "http://www.freeradius.org/silly/cert/extension/"
> would make that clear for anyone who cares to take a look at the
> generated certs.

I think that would be a serious error; "Netgear & UW NTP" springs to 
mind. Better put "http://127.0.0.1" if you're going to put something fake.


More information about the Freeradius-Devel mailing list