Active Topics
-
Is there a section to talk about Java ME? Apps, etc. (5)
to General by teroyk - 4 days, 22 hrs ago -
Extra softwares in Sailfish using CLI, repositories, etc (118)
to SailfishOS by nieldk - 5 days, 3 hrs ago -
Paths (0)
to Maemo 7 / Leste by teroyk - 6 days ago - more...
|
2015-12-30
, 19:35
|
|
Posts: 175 |
Thanked: 210 times |
Joined on Mar 2013
|
#12
|
Originally Posted by pali
Man, I just have to say that you are awesome. I've seen that you post some solutions to some problems lately but this one is exactly a problem I had ; to be more specific the one with "Remember passcode for EAP-TTLS/EAP-GTC and EAP-PEAP/EAP-GTC auth types". I've posted here about that problem but without any solution and you manage to find a simple solution to a problem that was marked as "no fix". Really thank you.
Hello,
I'm trying to fix problems with WPA-EAP authentication on Nokia N900. Please tell me all problems you know and which should be fixed.
I have already fix for those bugs:
Allow to use certificate without passphrase for EAP-TLS - https://bugs.maemo.org/show_bug.cgi?id=1574
Cancelling EAP-TLS passphrase dialog loose wifi connection until reboot - https://bugs.maemo.org/show_bug.cgi?id=11243
Remember passcode for EAP-TTLS/EAP-GTC and EAP-PEAP/EAP-GTC auth types - https://bugs.maemo.org/show_bug.cgi?id=6960
Allow to select EAP-TTLS/PAP auth type - https://bugs.maemo.org/show_bug.cgi?id=1635
First two bugs are fixed in CSSU-Devel and second twos have manual solution (see bug trackers). See this thread about CSSU-Devel: http://talk.maemo.org/showthread.php?t=84292
Please test and let me know if WPA-EAP is now working better on Nokia N900
And now I'm trying to fix this bug:
Autoconnect to WPA-EAP networks - https://bugs.maemo.org/show_bug.cgi?id=3399
Now I still have a little issue with this problem, maybe you can find a solution to that too.
When I connect to a EAP-PEAP/EAP-GTC network that doesn't require any certificate, before connecting, I get a message saying something like (my N900 is not in English so this may not be very accurate) :
Code:
Certificate not valid. Check date and time. Example Server Certificate.
I want to mention that this happened even before I entered the command to remember the passcode, so I don't think it is related to it.
If you could find a solution for not getting this "pop-up" which only needs to press the "done" button it would be great.
Thank you anyway for all the work you put in Maemo.
| The Following User Says Thank You to Malakai For This Useful Post: | ||
|
|
2015-12-30
, 20:29
|
|
Posts: 2,153 |
Thanked: 8,462 times |
Joined on May 2010
|
#14
|
@Malakai: This is because server certificate expired.
You can try to set "EAP_disable_certificate_check" gconf key to boolean value true (with -t boolean). Maybe it work, maybe not. When you try it, let me know.
You can try to set "EAP_disable_certificate_check" gconf key to boolean value true (with -t boolean). Maybe it work, maybe not. When you try it, let me know.
|
|
2015-12-31
, 18:43
|
|
Posts: 175 |
Thanked: 210 times |
Joined on Mar 2013
|
#15
|
Originally Posted by sicelo
You mean that even if I don't specify a certificate when asked by the connection wizard (so I leave it blank), a certificate is still required and that certificate should be in my N900 as every other certificates?
fwiw, in your case there actually is a certificate
but you don't have the root in your N900.
If yes, is there a security problem by not having that certificate and connecting to that wifi hotspot? In other words what does that certificate secure? The user and password used? The connection?
Originally Posted by pali
Same question : is there a security issue by not using the certificate?
@Malakai: This is because server certificate expired.
Originally Posted by pali
Will this command be the one to use as I am not sure :
You can try to set "EAP_disable_certificate_check" gconf key to boolean value true (with -t boolean). Maybe it work, maybe not. When you try it, let me know.
$ gconftool -s -t boolean /system/osso/connectivity/IAP/<UUID>/EAP_disable_certificate_check true
As I am out of town, it will have to wait for a few days as I don't have access to any of my ISPs wifi hotspots where I am, but as soon as I will try it I will let you know.
|
|
2015-12-31
, 18:54
|
|
Community Council |
Posts: 680 |
Thanked: 1,227 times |
Joined on Sep 2010
@ Mbabane
|
#16
|
Malakai, the network passes down a certificate in the 1st phase of authentication. Your device tries to verify this cert, hence if you don't have the root on device, or device time is wrong, or cert has expired, you get the error you already get.
You are correct that this protects the user's password from sniffing. even when you don't have the cert, and don't verify, the connection still does get encrypted. The risk here is that someone could setup a rogue network and therefore see your password. Verifying is advised if at all possible
You are correct that this protects the user's password from sniffing. even when you don't have the cert, and don't verify, the connection still does get encrypted. The risk here is that someone could setup a rogue network and therefore see your password. Verifying is advised if at all possible
| The Following 2 Users Say Thank You to sicelo For This Useful Post: | ||
|
|
2015-12-31
, 19:20
|
|
Posts: 2,153 |
Thanked: 8,462 times |
Joined on May 2010
|
#17
|
Originally Posted by Malakai
First you need to understand how wifi is working. There are more layers, to simplify it:
You mean that even if I don't specify a certificate when asked by the connection wizard (so I leave it blank), a certificate is still required and that certificate should be in my N900 as every other certificates?
If yes, is there a security problem by not having that certificate and connecting to that wifi hotspot? In other words what does that certificate secure? The user and password used? The connection?
- wifi frames
- aes encryption
- wpa2 protocol (key exchange, encryption)
- eap auth
Basically wpa2 is there to get keys for aes encryption (every packet is encrypted) and those keys are changing in time. Normally packets of all clients are encrypted with same aes key, so you can listen for (encrypted) communication of other clients. But when you are using also EAP protocol in wpa2 (sometimes called wpa2-enterprise) then each connected client has different aes key and therefore you cannot monitor & decrypt communication of other clients. EAP protocol is there for client authentication plus for keyring material needed for aes ecryption.
EAP as stand for Extensible Authentication Protocol is easy protocol which could support lot of algorithms/methods which can provide authentication plus way for exchaning wpa2/aes keys.
EAP methods PEAP, TLS and TTLS uses TLS protocol for creating secure channel between client and AP. EAP is unencrypted protocol.
So next layer is TLS. Same implementation like in web browsers (https). Server send public part of server certificate and all certificates in signed chain by some certificate authority.
To be sure that you are speaking with correct TLS server, you need to have (at least) fingerprint of trusted certificates in your local store. Same as with https.
So, you need to trust certificate because:
* it is used for creating secure tunnel with server in which you send your username & password for autentication to wifi hotspot (in case for PAP and GTC, password is in plain-text)
* it is used for exchaining aes keys between client and wifi hotspot, keys are used for encrypting all packets
Originally Posted by Malakai
Yes, but I really do not know if it work...
Will this command be the one to use as I am not sure :
$ gconftool -s -t boolean /system/osso/connectivity/IAP/<UUID>/EAP_disable_certificate_check true
As I am out of town, it will have to wait for a few days as I don't have access to any of my ISPs wifi hotspots where I am, but as soon as I will try it I will let you know.
| The Following 3 Users Say Thank You to pali For This Useful Post: | ||
|
|
2016-01-01
, 19:27
|
|
Posts: 175 |
Thanked: 210 times |
Joined on Mar 2013
|
#18
|
Thanks sicelo and pali for the explanation, it is now (a little) more clear to me. But I will have one question.
Is it possible for me to accept that certificate and have it in the N900 for the other times I connect to my ISP wifi network?
What I mean is that for https for instance, when I use a self signed certificate I can store it so the next time I'm visiting the website it is trusted. The same thing happened when my mail provider changed his smtps and imaps certificates and I had to manually accept then in Modest to connect securely. The next time I checked my mails there wasn't any warning.
But in this case there is no dialog box asking to accept the certificate, it simply says :
And all I can do is press "Done" to connect.
So is there a possibility to accept that certificate?
Is it possible for me to accept that certificate and have it in the N900 for the other times I connect to my ISP wifi network?
What I mean is that for https for instance, when I use a self signed certificate I can store it so the next time I'm visiting the website it is trusted. The same thing happened when my mail provider changed his smtps and imaps certificates and I had to manually accept then in Modest to connect securely. The next time I checked my mails there wasn't any warning.
But in this case there is no dialog box asking to accept the certificate, it simply says :
Code:
Certificate not valid. Check date and time. Example Server Certificate.
So is there a possibility to accept that certificate?
|
|
2016-01-01
, 19:35
|
|
Community Council |
Posts: 680 |
Thanked: 1,227 times |
Joined on Sep 2010
@ Mbabane
|
#19
|
Pali correctly indicated that perhaps said certificate has expired. So you may have to just check with your ISP.
However, I also get that error with my own WPA-Enterprise network with self-signed certificate, when the root is not on device. Adding it causes the error to not come up anymore.
In your case, if certificate is not expired, you still going to need to contact your ISP for their root cert
They may have it on some website of theirs or something actually ..
However, I also get that error with my own WPA-Enterprise network with self-signed certificate, when the root is not on device. Adding it causes the error to not come up anymore.
In your case, if certificate is not expired, you still going to need to contact your ISP for their root cert
They may have it on some website of theirs or something actually ..
| The Following User Says Thank You to sicelo For This Useful Post: | ||
|
|
2016-01-01
, 20:02
|
|
Posts: 175 |
Thanked: 210 times |
Joined on Mar 2013
|
#20
|
Originally Posted by pali
Should I understand that in my case (EAP-GTC) even if using a certificate the user and pass are sent in plain text? Or that only in the case of PEAP, TLS and TTLS the user and pass are encrypted so the necessity to use a certificate with EAP-GTC is mandatory to have the user and pass encrypted, otherwise the user and password are sent unencrypted?
So, you need to trust certificate because:
* it is used for creating secure tunnel with server in which you send your username & password for autentication to wifi hotspot (in case for PAP and GTC, password is in plain-text)
* it is used for exchaining aes keys between client and wifi hotspot, keys are used for encrypting all packets
 |
| Tags |
| maemo 5, wpa-eap, wpa2-eap |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 11:56.
as of recent outbreak in cheap technology apps like xender on android have become a standerd like bluetooth , so how do we recieve files on n900 ? i know how to send recive files to a pc laptop ubuntu suse etc i.e easy of use . but when n900 with android or windows phone in question it gets my head scraching everytime .
thanks