default certificates: add a useless CRL distribution point?

Phil Mayers p.mayers at
Sat May 25 23:47:44 CEST 2013

On 25/05/2013 20:56, Stefan Winter wrote:
> Hi,
> the bootstrap script adds EKU "TLS Web Server" because that makes most
> of the Windows editions happy.
> Folks in eduroam have now discovered something ... odd ... with Windows
> Phone 8.
> It requires that the *server* certificate that comes in during EAP
> contains the "CRL Distribution Point" extension.

Oh FFS...

> This is rather useless of course, because the client can't actually
> consult the CRL because he has no network while he's trying to
> authenticate. As an effect of that, it does not matter at all whether
> the URL in the CDP extension actually serves a CRL. It's just an extra
> annoyance to be aware of.

Are you sure about that? What if the client tries to check the CRL once 
it *has* a connection and fails? Will Windows 8Phone eventually decide 
the CA is to be untrusted?

That would obviously be pretty disastrous for "fake" CAs; but the 
Microsoft cert stuff does some funny things.

> I'm wondering: should the bootstrap scripts add a CDP pointing to a
> non-existing URL? It would improve the compatibility with these devices.
> It would make the certs look stranger though, as that is just added
> junk. Maybe a URL like ""
> would make that clear for anyone who cares to take a look at the
> generated certs.

I think that would be a serious error; "Netgear & UW NTP" springs to 
mind. Better put "" if you're going to put something fake.

More information about the Freeradius-Devel mailing list