Blackberry disabled server certificates query

Bruce Nunn ironrake at
Fri Jan 20 13:56:47 CET 2012

One of the annoying features of Blackberry devices is that the descriptions of the same CA certificate varies from device to device. Some devices, like my Storm2, seem to validate the CA even when that checkbox is selected. Since there are lots of CAs installed on Blackberry phones, setting up EAP can take a while as you go through the several certs which match your CA.

"Palmer J.D.F." <J.D.F.Palmer at> wrote:

>We have endless amounts of trouble connecting Blackberrys, they are
>hateful things.
>Some devices will use the certificate, some won't connect unless cert
>validation is disabled.  Some don't have the option to disable cert
>checking, and some won't connect at all.
>For a essentially single vendor device they have the most varied and
>random configuration idiosyncrasies between devices, even of the same
>model. Due to this variance we no longer try to offer online support for
>them, users are asked to bring them in to be looked at (and hacked at)
>to connect them.
>But yes, if possible you want to be enforcing cert validation, but in
>practice it's not always possible.
>> -----Original Message-----
>> From: freeradius-users-
>> at
>> [mailto:freeradius-users-
>> at] On Behalf Of
>> Garber, Neal
>> Sent: 20 January 2012 11:13
>> To: 'FreeRadius users mailing list'
>> Subject: RE: Blackberry disabled server certificates query
>> > if you leave the box unchecked "disable server certificate
>> validation"
>> > then the blackberry connects fine if you uncheck connection fails
>> > "failed to connect".
>> You wrote, "...if you leave it unchecked... (it)... connects fine if
>> you uncheck (it the) connection fails"???
>> Did you mean to say "if you leave it *checked* it connects fine"??  If
>> so, checking the box is telling your Blackberry NOT to validate the
>> RADIUS server's certificate.  If you don't validate the certificate,
>> there's a risk that you could be passing your credentials to an
>> untrusted RADIUS server (if someone impersonates your wireless network
>> name).
>> Best practice, for RADIUS, is to use a cert generated from a private
>> that you control, or at least trust.  In this case, you would need to
>> configure your Blackberry's to validate that the certificate is signed
>> by the CA you expect (which means they would need the CA's cert
>> installed - I assume this is possible with Blackberry's, but I don't
>> own one and I don't know how difficult it is to distribute a cert to
>> the Blackberry's or how many you have).
>> You need to decide whether to accept the risk or not.
>> -
>> List info/subscribe/unsubscribe? See
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list