default certificates: add a useless CRL distribution point?
Phil Mayers
p.mayers at imperial.ac.uk
Sat May 25 23:47:44 CEST 2013
On 25/05/2013 20:56, Stefan Winter wrote:
> Hi,
>
> the bootstrap script adds EKU "TLS Web Server" because that makes most
> of the Windows editions happy.
>
> Folks in eduroam have now discovered something ... odd ... with Windows
> Phone 8.
>
> It requires that the *server* certificate that comes in during EAP
> contains the "CRL Distribution Point" extension.
Oh FFS...
>
> This is rather useless of course, because the client can't actually
> consult the CRL because he has no network while he's trying to
> authenticate. As an effect of that, it does not matter at all whether
> the URL in the CDP extension actually serves a CRL. It's just an extra
> annoyance to be aware of.
Are you sure about that? What if the client tries to check the CRL once
it *has* a connection and fails? Will Windows 8Phone eventually decide
the CA is to be untrusted?
That would obviously be pretty disastrous for "fake" CAs; but the
Microsoft cert stuff does some funny things.
> I'm wondering: should the bootstrap scripts add a CDP pointing to a
> non-existing URL? It would improve the compatibility with these devices.
> It would make the certs look stranger though, as that is just added
> junk. Maybe a URL like "http://www.freeradius.org/silly/cert/extension/"
> would make that clear for anyone who cares to take a look at the
> generated certs.
I think that would be a serious error; "Netgear & UW NTP" springs to
mind. Better put "http://127.0.0.1" if you're going to put something fake.
More information about the Freeradius-Devel
mailing list