×

Discussion Board

Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    EAP-TLS, freeradius and symbian keystore ?

    We're in the process of setting up EAP-TLS authentication for series60 phones, and are having some difficulties. The radius server is authenticating our PC's just fine with EAP-TLS, but when doing the same with nokia phones (E65, N95, E60) we're having problems..

    We've uploaded the same ca.der and client.p12 to the phone, as we use on PC's.. But when connecting the server sends a Access-Challenge -- and then the phone pops up a password prompt for the key store... and once this is entered nothing else happens on the server. We suspect that the password prompt for the key store might be interrupting the authentication process, and it would be very nice if we could disable the keystore. Is that possible?

    Anybody else have experience with using EAP-TLS on phones? Together with freeradius?

  2. #2
    Regular Contributor
    Join Date
    May 2007
    Posts
    463

    Re: EAP-TLS, freeradius and symbian keystore ?

    It seems rather unlikely that freeradius is so delay intolerant. I'm not sure what you mean by "disable the key store" since that is, after all, where your key is. The keystore is based on cryptotokens, and you'll be asked once per session for the keystore passphrase to unlock it.

    As a rather primitive debugging mechanism, I suggest you upload a second set of credentials to the phone (another PKCS#12 file.) If client auth goes to plan, you should get a dialog asking you to choose which client certificate you want to use for the session.

    Use the N95 as the device to debug it on, since it has Symbian OS 9.2 on it and some of the changes myself and others made to the client auth code will probably be on device. However, client auth in the TLS client is still a complete mess (This is *not* my fault, it was written by monkeys) so you have to be very carefully about how you use it.

    Specifically, your client certificate should be issued directly by the trust anchor the radius server sends as the request DN, with no intervening intermediate certificates.

    If you can watch the traffic going to and from the radius server with wireshark, see if the client is sending a alert or something.

    Edit: Oh, another thing I though of. The keystore passphrase won't be the same thing as the key passphrase for your PKCS#12 file. I guess you probably know that already, but it bears mentioning. I doubt Nokia has any error reporting worth a damn on EAP-TLS, after all they don't on anything else.....
    Last edited by cdavies; 2007-08-07 at 15:09.
    Get Resolvr - The Zeroconf framework for Symbian OS free today. Make your IP networking applications fun and easy to use. http://www.novelinteractions.com/resolvr/
    Proud to be the only autorickshaw owner in Cambridge - http://blog.novelinteractions.com/images/tuktuk.jpg

  3. #3
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    When connecting to our access-point, this is the traffic I see on the radius server:


    08:55:20.564498 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3a length: 174
    08:55:20.569365 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3a length: 113
    08:55:20.870758 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3b length: 189
    08:55:20.872781 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3b length: 97
    08:55:20.895307 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3c length: 251
    08:55:20.898478 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3c length: 1133
    08:55:20.919690 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3d length: 189
    08:55:20.921709 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3d length: 1133
    08:55:20.942792 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3e length: 189
    08:55:20.944371 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3: e length: 230

    At this point my cellphone asks me to enter the key store password, I enter it and it goes to "Connecting..", but I never see any more traffic on the radius server. And the phone is just "Connecting.." until I reboot it.

    BTW: I'm only prompted for the key store password, not for the .p12 password. I don't have a password on the key inside the .p12, so I assume it removes the .p12 password once it imports the cert and key from it when installed.. ?

    We'll try upgrading to N95 to latest OS, and probably also try upgrading to latest freeradius.

    Update: Latest freeradius didn't change anything.
    Update2: Upgrading the N95 didn't change anything either. It just hangs after the key store password has been entered, and no traffic is seen on the radius-server at this point.
    Last edited by janfrode; 2007-08-08 at 08:45.

  4. #4
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,105
    janfrode, have you success with any phone so far? If I recall correctly, I tested a Nokia E70 last year and EAP-TLS with the demo certificates (./raddb/certs/) of FreeRADIUS: No problem. All I had to change was the date and time on phone to make the certs valid, of course.

    cdavies, why does it asks for the keystore password so often? As it looks like you are in touch of Nokia, would it not possible for Nokia to keep the session of the keystore open until the phone is switched off when the security-password-key-lock is active? Or even better combine the security-lock with the keystore-passphrase and ask for that at the start of the phone. For example with IMAP-IDLE, the current behaviour is a real burden. When the connection is lost and retried later, the session seems to close and passphrase has to be given again. If I recall it correctly, in Apple Mac OS X I do not have to enter the keystore (keychain) passphrase again and again, or is that operating system more insecure?

  5. #5
    Regular Contributor
    Join Date
    May 2007
    Posts
    463

    Re: EAP-TLS, freeradius and symbian keystore ?

    Well, I don't know that Mac OS X is insecure, but I do think the Symbian behaviour is a good idea. It's like sudo, or kerberos. You put your credentials in and you get a token, and you can access keystore operations until your token expires.

    I can't quite remember how the keystore security management API goes, but there's a lot about the security policy that is configurable per key. It's possible that that includes the token timeout, but I can't remember. If it does Nokia could just add that to the key management settings screen.

    BTW, I don't really know anyone at Nokia working on this (and my views are not those of Nokia.) I just used to work for the Symbian security team, and both keystore and TLS are Symbian components.

    PS. All this talk of client auth made me want to play with it on real phones, but I can't actually find what the default keystore PIN is, can anyone enlighten me? It doesn't appear to be anything obvious like 123456.
    Get Resolvr - The Zeroconf framework for Symbian OS free today. Make your IP networking applications fun and easy to use. http://www.novelinteractions.com/resolvr/
    Proud to be the only autorickshaw owner in Cambridge - http://blog.novelinteractions.com/images/tuktuk.jpg

  6. #6
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    There wasn't a default key store password. The first time I needed to store a client certificate, it prompted me to set the password for the key store (and I wasn't allowed to not set it, or set it too short).

    I agree with traud that the key store is cumbersome, and also quite inconsistent (why does it only protect client certs, and not all the other passwords that are used for f.eks. mschapv2 or similar?). It would be much nicer if there would be a function that locked the phone (not just for passphrase but for everything except accepting incoming calls), and that required a real passphrase to unlock. Once it was unlocked, everything should be unlocked.

    A strong idle-lock of the whole phone is actually a requirement for the company my wife works in (banking) if they're going to use smartphones, and the reason they're only allowed to use HTC phones currently.

    And.. no success so far with getting EAP-TLS working.. BTW: this posting made me wonder if it was a known fact that EAP-TLS isn't working ?? :

    http://discussions.europe.nokia.com/...ssage.id=48186

  7. #7
    Regular Contributor
    Join Date
    May 2007
    Posts
    463

    Re: EAP-TLS, freeradius and symbian keystore ?

    Ah, I seem to vaguely recall that Nokia phones support only PAP authentication, not CHAP for some reason. Am I right in thinking from the log snippets you've posted that you're using CHAP? As the other poster says, EAP-TLS definitely does work.

    Edit: Having looked at it on my phone, it's the other way around. It's PAP, not CHAP that is unsupported.
    Edit 2: Actually, thinking about it, it would be easier if you just described your set up in detail and what you're doing to configure then phone, and then I'll try and figure out what else you should be doing to get it to work.
    Last edited by cdavies; 2007-08-08 at 15:59.
    Get Resolvr - The Zeroconf framework for Symbian OS free today. Make your IP networking applications fun and easy to use. http://www.novelinteractions.com/resolvr/
    Proud to be the only autorickshaw owner in Cambridge - http://blog.novelinteractions.com/images/tuktuk.jpg

  8. #8
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    OK, here's what we're doing:

    I create our CA by:

    % openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG
    Country Name (2 letter code) [NO]:
    State or Province Name (full name) [Rogaland]:
    Locality Name (eg, city) [Stavanger]:
    Organization Name (eg, company) [MySone]:
    Organizational Unit Name (eg, section) []:MyUnit
    Common Name (eg, your name or your server's hostname) []:
    Email Address [mysone@mydomain.no]:

    Convert the ca cert to DER format and upload it to the phone:

    % openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der


    Create a radius server cert:

    % openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config $KEY_CONFIG

    -----
    Country Name (2 letter code) [NO]:
    State or Province Name (full name) [Rogaland]:
    Locality Name (eg, city) [Stavanger]:
    Organization Name (eg, company) [MySone]:
    Organizational Unit Name (eg, section) []:MyUnit
    Common Name (eg, your name or your server's hostname) []:radproxy.mydomain.no
    Email Address [myemail@mydomain.no]:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    # Sign it:
    $ openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config $KEY_CONFIG
    Using configuration from /etc/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName :PRINTABLE:'NO'
    stateOrProvinceName :PRINTABLE:'Rogaland'
    localityName :PRINTABLE:'Stavanger'
    organizationName :PRINTABLE:'MySone'
    organizationalUnitName:PRINTABLE:'MyUnit'
    commonName :PRINTABLE:'radproxy.mydomain.no'
    emailAddress :IA5STRING:'mysone@mydomain.no'
    Certificate is to be certified until Aug 5 12:06:38 2017 GMT (3650 days)
    Sign the certificate? [y/n]:y

    I put the server.key, server.crt and ca.crt into the freeradius configurations private_key_file, certificate_file, CA_file. Plus the dh_file and random_file. Then that's all config we have in the tls{}-section.

    I add a username to the "users"-file, so that we will blindly trust any username provided in a eap-tls authenticated session.

    Then I create a client key/cert and transfer to the phone:

    % openssl req -days 3650 -nodes -new -keyout client.key -out client.csr -config $KEY_CONFIG
    Country Name (2 letter code) [NO]:
    State or Province Name (full name) [Rogaland]:
    Locality Name (eg, city) [Stavanger]:
    Organization Name (eg, company) [MySone]:
    Organizational Unit Name (eg, section) []:MyUnit
    Common Name (eg, your name or your server's hostname) []:90887424
    Email Address [mysone@mydomain.no]:janfrode@tanso.net

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:


    Sign it:
    % openssl ca -days 3650 -out client.crt -in client.csr -config $KEY_CONFIG
    Using configuration from /etc/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName :PRINTABLE:'NO'
    stateOrProvinceName :PRINTABLE:'Rogaland'
    localityName :PRINTABLE:'Stavanger'
    organizationName :PRINTABLE:'MySone'
    organizationalUnitName:PRINTABLE:'MyUnit'
    commonName :PRINTABLE:'90887424'
    emailAddress :IA5STRING:'janfrode@tanso.net'
    Certificate is to be certified until Aug 6 07:21:07 2017 GMT (3650 days)
    Sign the certificate? [y/n]:y


    Convert it to p12:

    % openssl pkcs12 -export -inkey client.key -in client.crt -out /tmp/90887424.p12

    and download this .p12-file into my cellphone. Then I configure my cellphone to use the client certificate from the .p12-file, and CA-certificat from my ca.der-file. And I user a user-specified username that match the username listed in the freeradius "users" file.

    When trying to connect, my phone just hangs after I've entered the key store password, and nothing is seen on the radius server after this (even checking tcpdump).





    Then I try using the exact same files (except ca.crt instead of ca.der) with wpa_supplicant on linux. The complete configuration I use there is:

    % cat /etc/wpa_supplicant/wpa_supplicant.conf
    network={
    ssid="MySone"
    proto=WPA
    key_mgmt=WPA-EAP
    pairwise=TKIP
    group=TKIP
    eap=TLS
    ca_cert="/tmp/mysone/ca.crt"
    private_key="/tmp/mysone/90887424.p12"
    private_key_passwd="adgadg"

    identity="asles"
    }

    And I get connected with the radius server by executing:

    # wpa_supplicant -iath0 -c /etc/wpa_supplicant/wpa_supplicant.conf -w
    Associated with 00:19:a9:40:84:23
    CTRL-EVENT-EAP-STARTED EAP authentication started
    OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
    OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
    OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
    OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
    OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib
    CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
    OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    WPA: Key negotiation completed with 00:19:a9:40:84:23 [PTK=TKIP GTK=TKIP]
    CTRL-EVENT-CONNECTED - Connection to 00:19:a9:40:84:23 completed (auth) [id=1 id_str=]



    It looks ugly with all these openssl pending errors, but works. No idea if these might give a pointer to why it fails on symbian.. ?

  9. #9
    Regular Contributor
    Join Date
    May 2007
    Posts
    463

    Re: EAP-TLS, freeradius and symbian keystore ?

    By the looks of it, those openssl errors from WPA supplicant are normal. It looks like it's going down its list of possible key formats ("Is this DER encoded key... no, Is this a PEM encoded key... no, Is this a PKCS#12 file.. yes")

    However, what I'm really interested in knowing is what you're doing to configure the phone, and the relevant section of the openradius configuration file.
    Get Resolvr - The Zeroconf framework for Symbian OS free today. Make your IP networking applications fun and easy to use. http://www.novelinteractions.com/resolvr/
    Proud to be the only autorickshaw owner in Cambridge - http://blog.novelinteractions.com/images/tuktuk.jpg

  10. #10
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    Not sure what relevant sections you want (drop me an email at janfrode@tanso.net and I'll email you all our radius config-files)...

    But this is all I think is relevant:

    # grep -v \# /etc/raddb/eap.conf|grep -v ^$
    eap {
    default_eap_type = md5
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    md5 {
    }
    leap {
    }
    gtc {
    auth_type = PAP
    }
    tls {
    private_key_file = ${raddbdir}/certs/smartsone/server.key
    certificate_file = ${raddbdir}/certs/smartsone/server.crt
    CA_file = ${raddbdir}/certs/smartsone/ca.crt
    dh_file = ${raddbdir}/certs/dh1024.pem
    random_file = ${raddbdir}/certs/random
    }
    ttls {
    default_eap_type = md5
    }
    peap {
    default_eap_type = mschapv2
    }
    mschapv2 {
    }
    }


    And username "asles" listed in /etc/raddb/users without any arguments.. makes radius accept this as a tls-user without any password.

    Phone-config:

    wlan-mode = infrastructure
    wlan-security = WPA/WPA2
    WPA/WPA2 = EAP
    WPA2-only = no
    EAP-pr.comp (hope this translates right)
    Only EAP-TLS enabled
    User cert = my user cert
    CA cert = my self created ca cert
    username in use = user configured
    username = asle
    domain in use = from certificate
    ciphers = all enabled


    BTW: We're using freeradius, not openradius.

  11. #11
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    Update:

    We've been using the "easy-rsa" scripts from the openvpn distribution. This sets the policy to:

    policy = policy_match

    # For the CA policy
    [ policy_match ]
    countryName = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional


    While the sample scripts that comes with freeradius uses policy_anything where everything is optional... I don't understand that this could be relevant when we are using the same settings for countryName/stateOrProvinceName/organizationName... But maybe... Unfortunately a couple of others have started using the ca cert now (for eap-ttls), so I need to be a bit carefull with my changes.

    Do you think this can be relevant?

  12. #12
    Regular Contributor
    Join Date
    May 2007
    Posts
    463

    Re: EAP-TLS, freeradius and symbian keystore ?

    This part looks a bit dodgy,

    eap {
    default_eap_type = md5

    I'd make that

    eap {
    default_eap_type = tls

    but anyway, I'll email you with a few things I'd do to help debugging.
    Get Resolvr - The Zeroconf framework for Symbian OS free today. Make your IP networking applications fun and easy to use. http://www.novelinteractions.com/resolvr/
    Proud to be the only autorickshaw owner in Cambridge - http://blog.novelinteractions.com/images/tuktuk.jpg

  13. #13
    Registered User
    Join Date
    Aug 2007
    Posts
    7

    Re: EAP-TLS, freeradius and symbian keystore ?

    Yea, noticed these and fixed them. Didn't make any difference..

    Current eap.conf:

    eap {
    default_eap_type = tls
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    tls {
    private_key_file = ${raddbdir}/certs/smartsone/server.key
    certificate_file = ${raddbdir}/certs/smartsone/server.crt
    CA_file = ${raddbdir}/certs/smartsone/ca.crt
    dh_file = ${raddbdir}/certs/dh1024.pem
    random_file = ${raddbdir}/certs/random
    fragment_size = 1024
    include_length = yes
    }
    ttls {
    default_eap_type = mschapv2
    }
    mschapv2 {
    }
    }

  14. #14
    Registered User
    Join Date
    Aug 2007
    Posts
    4

    Re: EAP-TLS, freeradius and symbian keystore ?

    Sorry for bringing this thread up again, but I found this one using google, and I am experiencing problems with EAP-TLS, too.

    But I haven't come as far as you.

    We are using EAP-TLS at our company, and I have a CA cert, a client cert and a keyfile. All of them in PEM format working with Linux and wpa_supplicant.

    I have already converted the CA cert into DER format and pushed it to my Nokia E65 running the FW 1.0633.18.01 using OBEX PUSH. This self signed cert is now successfully imported into my phone and I can see it under the certificate manager.

    Sorry if the expressions do not match exactly the english ones, but my E65 is using German user interface.

    But now to my problem:

    I created a p12 file using:

    openssl pkcs12 -export -inkey key.pem -in client.pem -out client.p12

    When I try to push this file on my phone, it detects both the cert and my key in the client.p12 file, but when I try to save the client.p12 I am getting the german error "privater schlüssel fehlerhaft", which would translate into "your privat key is erroneous".

    Do you have any hints how the format of my private key has to be when generating the .p12 file?

    Do I have any possibilities to debug a little deeper into this error message? I would like to see if there is more detailed error description what exactly is wrong with my private key?

  15. #15
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,105
    What about switching the language of your phone to English?

    All ideas I have: Does this private key belong to the same authority (root certificate) and contains the full path (possible intermediate certificate[s]) to the root certificate?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •