Blackberry disabled server certificates query

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Fri Jan 20 12:33:54 CET 2012


We have endless amounts of trouble connecting Blackberrys, they are
hateful things.
Some devices will use the certificate, some won't connect unless cert
validation is disabled.  Some don't have the option to disable cert
checking, and some won't connect at all.
For a essentially single vendor device they have the most varied and
random configuration idiosyncrasies between devices, even of the same
model. Due to this variance we no longer try to offer online support for
them, users are asked to bring them in to be looked at (and hacked at)
to connect them.

But yes, if possible you want to be enforcing cert validation, but in
practice it's not always possible.

> -----Original Message-----
> From: freeradius-users-
> bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org] On Behalf Of
> Garber, Neal
> Sent: 20 January 2012 11:13
> To: 'FreeRadius users mailing list'
> Subject: RE: Blackberry disabled server certificates query
> 
> > if you leave the box unchecked "disable server certificate
> validation"
> > then the blackberry connects fine if you uncheck connection fails
> > "failed to connect".
> 
> You wrote, "...if you leave it unchecked... (it)... connects fine if
> you uncheck (it the) connection fails"???
> 
> Did you mean to say "if you leave it *checked* it connects fine"??  If
> so, checking the box is telling your Blackberry NOT to validate the
> RADIUS server's certificate.  If you don't validate the certificate,
> there's a risk that you could be passing your credentials to an
> untrusted RADIUS server (if someone impersonates your wireless network
> name).
> 
> Best practice, for RADIUS, is to use a cert generated from a private
CA
> that you control, or at least trust.  In this case, you would need to
> configure your Blackberry's to validate that the certificate is signed
> by the CA you expect (which means they would need the CA's cert
> installed - I assume this is possible with Blackberry's, but I don't
> own one and I don't know how difficult it is to distribute a cert to
> the Blackberry's or how many you have).
> 
> You need to decide whether to accept the risk or not.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list