Package: debian-edu-config Version: 2.12.20 Severity: normalThe debian-edu-config ships a script to setup a freeRadius service on TJENER. This script uses a script from bin:pkg freeradius named /usr/share/doc/freeradius/examples/certs/bootstrap
Starting with Android 11 QPR1, we must provide certificates that have a valid "domain" set. For this domain, the CN of the freeradius-server.crt file gets used (or any other value in subjectAltnames.
During the bootstrap script execution a server.csr file gets created with proper subjectAltNames extension support, but this gets losted when CA signing this .csr file. The resulting .crt file won't have subjectAltnames support and commonName will also be set to "Debian Edu freeRADIUS Server Certificate".
I have now modified the openssl .cnf files in TJENER's /etc/freeradius/3.0/certs/ in this way:
``` diff --git a/freeradius/3.0/certs/server.cnf b/freeradius/3.0/certs/server.cnf index 271ace9..3898944 100644 --- a/freeradius/3.0/certs/server.cnf +++ b/freeradius/3.0/certs/server.cnf @@ -51,7 +51,7 @@ stateOrProvinceName = Radius localityName = Somewhere organizationName = Debian Edu emailAddress = postmaster@postoffice.intern -commonName = "Debian Edu freeRADIUS Server Certificate" +commonName = freeradius.intern [ v3_req ] basicConstraints = CA:FALSE ``` ```diff --git a/freeradius/3.0/certs/xpextensions b/freeradius/3.0/certs/xpextensions
index 70d229c..2529a45 100644 --- a/freeradius/3.0/certs/xpextensions +++ b/freeradius/3.0/certs/xpextensions @@ -73,3 +73,15 @@ certificatePolicies = 1.3.6.1.4.1.40808.1.3.2 # to generate these certs. # # 1.3.6.1.4.1.311.17.2 + +subjectAltName = @alt_names + +# This should be a host name of the RADIUS server. +# Note that the host name is exchanged in EAP *before* +# the user machine has network access. So the host name +# here doesn't really have to match anything in DNS. +[alt_names] +DNS.1 = freeradius.intern + +# NAIRealm from RFC 7585 +otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern ```When now recreating the server.key, server.csr and server.crt files they have the subjectAltNames extension support in the .crt file and the domain is set to "freeradius.intern
I still need to get customer feedback if the new certificates work as expected on recent Android 11 devices.
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpaS4ITFngNv.pgp
Description: Digitale PGP-Signatur