EAP-TLS, freeradius and symbian keystore ?

[janfrode]

We're in the process of setting up EAP-TLS authentication for series60 phones, and are having some difficulties. The radius server is authenticating our PC's just fine with EAP-TLS, but when doing the same with nokia phones (E65, N95, E60) we're having problems..

We've uploaded the same ca.der and client.p12 to the phone, as we use on PC's.. But when connecting the server sends a Access-Challenge -- and then the phone pops up a password prompt for the key store... and once this is entered nothing else happens on the server. We suspect that the password prompt for the key store might be interrupting the authentication process, and it would be very nice if we could disable the keystore. Is that possible?

Anybody else have experience with using EAP-TLS on phones? Together with freeradius?

[cdavies]

It seems rather unlikely that freeradius is so delay intolerant. I'm not sure what you mean by "disable the key store" since that is, after all, where your key is. The keystore is based on cryptotokens, and you'll be asked once per session for the keystore passphrase to unlock it.

As a rather primitive debugging mechanism, I suggest you upload a second set of credentials to the phone (another PKCS#12 file.) If client auth goes to plan, you should get a dialog asking you to choose which client certificate you want to use for the session.

Use the N95 as the device to debug it on, since it has Symbian OS 9.2 on it and some of the changes myself and others made to the client auth code will probably be on device. However, client auth in the TLS client is still a complete mess (This is *not* my fault, it was written by monkeys) so you have to be very carefully about how you use it.

Specifically, your client certificate should be issued directly by the trust anchor the radius server sends as the request DN, with no intervening intermediate certificates.

If you can watch the traffic going to and from the radius server with wireshark, see if the client is sending a alert or something.

Edit: Oh, another thing I though of. The keystore passphrase won't be the same thing as the key passphrase for your PKCS#12 file. I guess you probably know that already, but it bears mentioning. I doubt Nokia has any error reporting worth a damn on EAP-TLS, after all they don't on anything else.....

[janfrode]

When connecting to our access-point, this is the traffic I see on the radius server:


08:55:20.564498 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3a length: 174
08:55:20.569365 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3a length: 113
08:55:20.870758 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3b length: 189
08:55:20.872781 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3b length: 97
08:55:20.895307 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3c length: 251
08:55:20.898478 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3c length: 1133
08:55:20.919690 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3d length: 189
08:55:20.921709 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3d length: 1133
08:55:20.942792 IP hhhhh-ldap1-a.gggg.net.filenet-rpc > 213.167.97.98.radius: RADIUS, Access Request (1), id: 0x3e length: 189
08:55:20.944371 IP 213.167.97.98.radius > hhhhh-ldap1-a.gggg.net.filenet-rpc: RADIUS, Access Challenge (11), id: 0x3: e length: 230

At this point my cellphone asks me to enter the key store password, I enter it and it goes to "Connecting..", but I never see any more traffic on the radius server. And the phone is just "Connecting.." until I reboot it.

BTW: I'm only prompted for the key store password, not for the .p12 password. I don't have a password on the key inside the .p12, so I assume it removes the .p12 password once it imports the cert and key from it when installed.. ?

We'll try upgrading to N95 to latest OS, and probably also try upgrading to latest freeradius.

Update: Latest freeradius didn't change anything.
Update2: Upgrading the N95 didn't change anything either. It just hangs after the key store password has been entered, and no traffic is seen on the radius-server at this point.

[traud]

janfrode, have you success with any phone so far? If I recall correctly, I tested a Nokia E70 last year and EAP-TLS with the demo certificates (./raddb/certs/) of FreeRADIUS: No problem. All I had to change was the date and time on phone to make the certs valid, of course.

cdavies, why does it asks for the keystore password so often? As it looks like you are in touch of Nokia, would it not possible for Nokia to keep the session of the keystore open until the phone is switched off when the security-password-key-lock is active? Or even better combine the security-lock with the keystore-passphrase and ask for that at the start of the phone. For example with IMAP-IDLE, the current behaviour is a real burden. When the connection is lost and retried later, the session seems to close and passphrase has to be given again. If I recall it correctly, in Apple Mac OS X I do not have to enter the keystore (keychain) passphrase again and again, or is that operating system more insecure?

[cdavies]

Well, I don't know that Mac OS X is insecure, but I do think the Symbian behaviour is a good idea. It's like sudo, or kerberos. You put your credentials in and you get a token, and you can access keystore operations until your token expires.

I can't quite remember how the keystore security management API goes, but there's a lot about the security policy that is configurable per key. It's possible that that includes the token timeout, but I can't remember. If it does Nokia could just add that to the key management settings screen.

BTW, I don't really know anyone at Nokia working on this (and my views are not those of Nokia.) I just used to work for the Symbian security team, and both keystore and TLS are Symbian components.

PS. All this talk of client auth made me want to play with it on real phones, but I can't actually find what the default keystore PIN is, can anyone enlighten me? It doesn't appear to be anything obvious like 123456.

[janfrode]

There wasn't a default key store password. The first time I needed to store a client certificate, it prompted me to set the password for the key store (and I wasn't allowed to not set it, or set it too short).

I agree with traud that the key store is cumbersome, and also quite inconsistent (why does it only protect client certs, and not all the other passwords that are used for f.eks. mschapv2 or similar?). It would be much nicer if there would be a function that locked the phone (not just for passphrase but for everything except accepting incoming calls), and that required a real passphrase to unlock. Once it was unlocked, everything should be unlocked.

A strong idle-lock of the whole phone is actually a requirement for the company my wife works in (banking) if they're going to use smartphones, and the reason they're only allowed to use HTC phones currently.

And.. no success so far with getting EAP-TLS working.. BTW: this posting made me wonder if it was a known fact that EAP-TLS isn't working ?? :

http://discussions.europe.nokia.com/...ssage.id=48186

[cdavies]

Ah, I seem to vaguely recall that Nokia phones support only PAP authentication, not CHAP for some reason. Am I right in thinking from the log snippets you've posted that you're using CHAP? As the other poster says, EAP-TLS definitely does work.

Edit: Having looked at it on my phone, it's the other way around. It's PAP, not CHAP that is unsupported.
Edit 2: Actually, thinking about it, it would be easier if you just described your set up in detail and what you're doing to configure then phone, and then I'll try and figure out what else you should be doing to get it to work.

[janfrode]

OK, here's what we're doing:

I create our CA by:

% openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Rogaland]:
Locality Name (eg, city) [Stavanger]:
Organization Name (eg, company) [MySone]:
Organizational Unit Name (eg, section) []:MyUnit
Common Name (eg, your name or your server's hostname) []:
Email Address [mysone@mydomain.no]:

Convert the ca cert to DER format and upload it to the phone:

% openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der


Create a radius server cert:

% openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config $KEY_CONFIG

-----
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Rogaland]:
Locality Name (eg, city) [Stavanger]:
Organization Name (eg, company) [MySone]:
Organizational Unit Name (eg, section) []:MyUnit
Common Name (eg, your name or your server's hostname) []:radproxy.mydomain.no
Email Address [myemail@mydomain.no]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# Sign it:
$ openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config $KEY_CONFIG
Using configuration from /etc/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NO'
stateOrProvinceName :PRINTABLE:'Rogaland'
localityName :PRINTABLE:'Stavanger'
organizationName :PRINTABLE:'MySone'
organizationalUnitName:PRINTABLE:'MyUnit'
commonName :PRINTABLE:'radproxy.mydomain.no'
emailAddress :IA5STRING:'mysone@mydomain.no'
Certificate is to be certified until Aug 5 12:06:38 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

I put the server.key, server.crt and ca.crt into the freeradius configurations private_key_file, certificate_file, CA_file. Plus the dh_file and random_file. Then that's all config we have in the tls{}-section.

I add a username to the "users"-file, so that we will blindly trust any username provided in a eap-tls authenticated session.

Then I create a client key/cert and transfer to the phone:

% openssl req -days 3650 -nodes -new -keyout client.key -out client.csr -config $KEY_CONFIG
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Rogaland]:
Locality Name (eg, city) [Stavanger]:
Organization Name (eg, company) [MySone]:
Organizational Unit Name (eg, section) []:MyUnit
Common Name (eg, your name or your server's hostname) []:90887424
Email Address [mysone@mydomain.no]:janfrode@tanso.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Sign it:
% openssl ca -days 3650 -out client.crt -in client.csr -config $KEY_CONFIG
Using configuration from /etc/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NO'
stateOrProvinceName :PRINTABLE:'Rogaland'
localityName :PRINTABLE:'Stavanger'
organizationName :PRINTABLE:'MySone'
organizationalUnitName:PRINTABLE:'MyUnit'
commonName :PRINTABLE:'90887424'
emailAddress :IA5STRING:'janfrode@tanso.net'
Certificate is to be certified until Aug 6 07:21:07 2017 GMT (3650 days)
Sign the certificate? [y/n]:y


Convert it to p12:

% openssl pkcs12 -export -inkey client.key -in client.crt -out /tmp/90887424.p12

and download this .p12-file into my cellphone. Then I configure my cellphone to use the client certificate from the .p12-file, and CA-certificat from my ca.der-file. And I user a user-specified username that match the username listed in the freeradius "users" file.

When trying to connect, my phone just hangs after I've entered the key store password, and nothing is seen on the radius server after this (even checking tcpdump).





Then I try using the exact same files (except ca.crt instead of ca.der) with wpa_supplicant on linux. The complete configuration I use there is:

% cat /etc/wpa_supplicant/wpa_supplicant.conf
network={
ssid="MySone"
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=TLS
ca_cert="/tmp/mysone/ca.crt"
private_key="/tmp/mysone/90887424.p12"
private_key_passwd="adgadg"

identity="asles"
}

And I get connected with the radius server by executing:

# wpa_supplicant -iath0 -c /etc/wpa_supplicant/wpa_supplicant.conf -w
Associated with 00:19:a9:40:84:23
CTRL-EVENT-EAP-STARTED EAP authentication started
OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:19:a9:40:84:23 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:19:a9:40:84:23 completed (auth) [id=1 id_str=]



It looks ugly with all these openssl pending errors, but works. No idea if these might give a pointer to why it fails on symbian.. ?

[cdavies]

By the looks of it, those openssl errors from WPA supplicant are normal. It looks like it's going down its list of possible key formats ("Is this DER encoded key... no, Is this a PEM encoded key... no, Is this a PKCS#12 file.. yes")

However, what I'm really interested in knowing is what you're doing to configure the phone, and the relevant section of the openradius configuration file.

[janfrode]

Not sure what relevant sections you want (drop me an email at janfrode@tanso.net and I'll email you all our radius config-files)...

But this is all I think is relevant:

# grep -v \# /etc/raddb/eap.conf|grep -v ^$
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_file = ${raddbdir}/certs/smartsone/server.key
certificate_file = ${raddbdir}/certs/smartsone/server.crt
CA_file = ${raddbdir}/certs/smartsone/ca.crt
dh_file = ${raddbdir}/certs/dh1024.pem
random_file = ${raddbdir}/certs/random
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}


And username "asles" listed in /etc/raddb/users without any arguments.. makes radius accept this as a tls-user without any password.

Phone-config:

wlan-mode = infrastructure
wlan-security = WPA/WPA2
WPA/WPA2 = EAP
WPA2-only = no
EAP-pr.comp (hope this translates right)
Only EAP-TLS enabled
User cert = my user cert
CA cert = my self created ca cert
username in use = user configured
username = asle
domain in use = from certificate
ciphers = all enabled


BTW: We're using freeradius, not openradius.

[janfrode]

Update:

We've been using the "easy-rsa" scripts from the openvpn distribution. This sets the policy to:

policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


While the sample scripts that comes with freeradius uses policy_anything where everything is optional... I don't understand that this could be relevant when we are using the same settings for countryName/stateOrProvinceName/organizationName... But maybe... Unfortunately a couple of others have started using the ca cert now (for eap-ttls), so I need to be a bit carefull with my changes.

Do you think this can be relevant?

[cdavies]

This part looks a bit dodgy,

eap {
default_eap_type = md5

I'd make that

eap {
default_eap_type = tls

but anyway, I'll email you with a few things I'd do to help debugging.

[janfrode]

Yea, noticed these and fixed them. Didn't make any difference..

Current eap.conf:

eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_file = ${raddbdir}/certs/smartsone/server.key
certificate_file = ${raddbdir}/certs/smartsone/server.crt
CA_file = ${raddbdir}/certs/smartsone/ca.crt
dh_file = ${raddbdir}/certs/dh1024.pem
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = mschapv2
}
mschapv2 {
}
}

[nig16]

Sorry for bringing this thread up again, but I found this one using google, and I am experiencing problems with EAP-TLS, too.

But I haven't come as far as you.

We are using EAP-TLS at our company, and I have a CA cert, a client cert and a keyfile. All of them in PEM format working with Linux and wpa_supplicant.

I have already converted the CA cert into DER format and pushed it to my Nokia E65 running the FW 1.0633.18.01 using OBEX PUSH. This self signed cert is now successfully imported into my phone and I can see it under the certificate manager.

Sorry if the expressions do not match exactly the english ones, but my E65 is using German user interface.

But now to my problem:

I created a p12 file using:

openssl pkcs12 -export -inkey key.pem -in client.pem -out client.p12

When I try to push this file on my phone, it detects both the cert and my key in the client.p12 file, but when I try to save the client.p12 I am getting the german error "privater schlüssel fehlerhaft", which would translate into "your privat key is erroneous".

Do you have any hints how the format of my private key has to be when generating the .p12 file?

Do I have any possibilities to debug a little deeper into this error message? I would like to see if there is more detailed error description what exactly is wrong with my private key?

[traud]

What about switching the language of your phone to English?

All ideas I have: Does this private key belong to the same authority (root certificate) and contains the full path (possible intermediate certificate[s]) to the root certificate?