default certificates: add a useless CRL distribution point?
Hi, the bootstrap script adds EKU "TLS Web Server" because that makes most of the Windows editions happy. Folks in eduroam have now discovered something ... odd ... with Windows Phone 8. It requires that the *server* certificate that comes in during EAP contains the "CRL Distribution Point" extension. This is rather useless of course, because the client can't actually consult the CRL because he has no network while he's trying to authenticate. As an effect of that, it does not matter at all whether the URL in the CDP extension actually serves a CRL. It's just an extra annoyance to be aware of. I'm wondering: should the bootstrap scripts add a CDP pointing to a non-existing URL? It would improve the compatibility with these devices. It would make the certs look stranger though, as that is just added junk. Maybe a URL like "http://www.freeradius.org/silly/cert/extension/" would make that clear for anyone who cares to take a look at the generated certs. Note that I don't know if the CA and/or intermediates also need that extension present. I can find out if need be (and I'm sure Tomasz and Maja are reading this list themselves anyway :-) ). Greetings, Stefan Winter
On 25/05/2013 20:56, Stefan Winter wrote:
Hi,
the bootstrap script adds EKU "TLS Web Server" because that makes most of the Windows editions happy.
Folks in eduroam have now discovered something ... odd ... with Windows Phone 8.
It requires that the *server* certificate that comes in during EAP contains the "CRL Distribution Point" extension.
Oh FFS...
This is rather useless of course, because the client can't actually consult the CRL because he has no network while he's trying to authenticate. As an effect of that, it does not matter at all whether the URL in the CDP extension actually serves a CRL. It's just an extra annoyance to be aware of.
Are you sure about that? What if the client tries to check the CRL once it *has* a connection and fails? Will Windows 8Phone eventually decide the CA is to be untrusted? That would obviously be pretty disastrous for "fake" CAs; but the Microsoft cert stuff does some funny things.
I'm wondering: should the bootstrap scripts add a CDP pointing to a non-existing URL? It would improve the compatibility with these devices. It would make the certs look stranger though, as that is just added junk. Maybe a URL like "http://www.freeradius.org/silly/cert/extension/" would make that clear for anyone who cares to take a look at the generated certs.
I think that would be a serious error; "Netgear & UW NTP" springs to mind. Better put "http://127.0.0.1" if you're going to put something fake.
participants (2)
-
Phil Mayers -
Stefan Winter