none
SecureW2 - XP (error message: Received an invalid server certificate, please verify your certificate configuration)

    Domanda

  • Hi Guys,

    We use SecureW2 widely to allow client to connect to the wireless network using 802.1x. This is mainly used on XP, 7 and Vista.  The backend is Radius (Radiator).

    Recently we renewed the certificate on our radius servers to a 1024 Thawte signed SSL Server Cert, which is essentially the same as what we had before, except Thawte have now introduced two intermediates in the chain.  The chain for anyone who is interested is as follows:

    --------

    Thawte Premium Server CA (top level root)

    thawte Primary Root CA  (primary intermediate)

    thawte SSL CA (secondary intermediate)

    Our Signed certificate

    --------

    Note, the SecureW2 (4.0.0.(17) for XP) supplicant used is built to verify the certificate as follows:

    - Verify against the "Trusted Root CA": Thawte Premium Server CA

      (Thumbprint 62 7f 8d 78 27 65 63 99 d2 7d 7f 90 44 c9 fe b3 f3 3e fa 9a)

    - Verify CN: eduroam.monash.edu.au

    As such, we by default don't check against the Windows local certificate trust / repository

    After this change, we noticed that some Windows clients (at this stage common to the XP, Vista and 7 platforms), have reported that they get the following error message when they connect to the wireless service:

    "Received an invalid server certificate, please verify your certificate configuration"

    Note, there are numerous other XP and Vista machines that do not experience this issue - from a client base of about 4000-5000, say about 200 or so experience this error message.  Not to mention various linux distributions and MAC machines that work fine without any certificate verification issues.

    A quick fix (albeit undesirable) at this stage for us is to not verify the server certificate at all.

    For completeness we have verifed with Thawte (about the certificate) and Radiator (about the radiator config) and how the cerificate should be installed on the server side.

    Given that the server side is correct (as far as we can tell now), we're now focused on troubleshooting the client side.  To this end, i have two basic questions which i'm hoping to get some clarification on, from others who may have experienced a similar issue with SecureW2 and Windows!

    1. SecureW2 explicitly specifying a "Trusted Root CA"

    Currently as mentioned above, our SecureW2 supplicant is built to specify a "Trusted Root CA"  cert of: Thawte Premium Server CA.  What are people's understanding of "Trusted Root CA"?  In a chained situation as we now have (after the certificate renewal), does "Trusted Root CA" refer to:

    a) The top level root, i.e Thawte Premium Server CA?, or

    b) The top level root and the intermediate certificates?, or

    c) Does the main config file used to build the customised SecureW2 client need to be changed to include the intermediates in the chain?

    While the simple case is just a single tier setup (as we used to have without intermediates), the SecureW2 documenation (http://www.securew2.com/resources/guides/ConfigurationGuide.pdf) isn't clear on this.

    We have done a lot of testing with both a) and b) above, with mixed results.  Haven't found a pattern yet because some machines work with just Thawte Premium Server CA specified, while others require thawte Primary Root CA.  So having a clear understanding of what is meant by Trusted Root CA in a chained setup is essential.

    2. SecureW2 pointing directly to Windows local cert repository

    When pointing directly to the Windows Certificate repository.  Here "verify server certificate" within the supplicant is ticked, but no certificate is explicitly specified. We find again that in some cases this works, in others it doesn't.   This in theory should always work, as long as the repository is up to date.  We now have a way of updating the repository after having downloaded "rootsupd". In cases where it is not working, is there a way of checking (via logs perhaps) as to what is going on?  In principle one would think that a check performed by a browser to verify a certificate is no different to what the Supplicant would be doing against the local repository.

    ------------

    Debug messages

    For anyone who is interested here are some debug logs in Windows\tracing\EAP-TTLS.log indicates the following when the error message is encountered.

    SW2EapMethodProcess::SW2_AUTH_STATE_Server_Hello::Verifying certificate
    SW2_CertVerifyServerName()
    SW2EapMethodProcess()::verifying servername: eduroam.monash.edu.au, expecting: eduroam.monash.edu.au
    SW2_CertVerifyServerName()::found substring: eduroam.monash.edu.au
    SW2EapMethodProcess()::verifying certificate chain
    SW2_VerifyCertificateChain()
    SW2_VerifyCertificateChain()::Created pChainContext
    SW2_VerifyCertificateChain()::chain could not be validated( 20 )  
    SW2_VerifyCertificateChain(), freeing pChainContext
    SW2_VerifyCertificateChain()::returning -2146893019    
    SW2EapMethodProcess::updating states

    <snip>

    SW2_ReadProfile: going to read certificates
    SW2_ReadCertificates: opened key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\RootCACert)
    SW2_ReadProfile: found cbData(20)
    SW2_XorData::cbDataIn: 20, cbKey: 256
    SW2_ReadProfile: pbTrustedRootCAList[0]
    788D7F62 99636527 907F7DD2 B3FEC944 |x.b.ce'.}....D|
    9AFA3EF3 00000000 00000000 00000000 |..>.............|

    SW2_RegGetValue::RegQueryValueEx(Certificate.1) FAILED: b7
    SW2_ReadCertificates: returning 0, found 1 certificates
    SW2_ReadProfile: opening key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials)
    SW2_ReadProfile: opened key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials)
    SW2_ReadProfile: found cbData(512)
    SW2_XorData::cbDataIn: 512, cbKey: 256
    SW2_ReadProfile: going to read user configuration
    SW2_ReadProfile: using thread token
    SW2_ReadProfile: FAILED to read user thread token: 1008
    SW2_ReadProfile: FAILED to read user process token: 6
    SW2_ReadProfile: opening key: SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials
    SW2_ReadProfile: dwReturnCode: 0, 6
    SW2_ReadProfile: opened user key (SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials)
    SW2_ReadProfile: RegQueryValueEx(PromptUser)(0): (1)
    SW2_ReadProfile: RegQueryValueEx(UserName)(0): ()
    SW2_ReadProfile: UserPassword
    343: SW2_XorData::cbDataIn: 512, cbKey: 256
    SW2_ReadProfile: returning: 0
    SW2_HandleInteractiveError(-2146893019, 5)
    SW2_HandleError
    SW2_ReportEvent( SW2EapMethodInvokeInteractiveUI Failed, 80090325 )
    SW2_ReportEvent() returning
    SW2_HandleError:: returning
    SW2_HandleInteractiveError::pVoid valid
    SW2_HandleInteractiveError::SW2_RAS_Function_InvokeInteractiveUI::LastAuthState:1
    SW2_HandleInteractiveError::(84): Received an invalid server certificate, please verify your certificate configuration

    <snip>

    As you can see above, the thumbprint of the Root CA Cert is checked, but the result is an error, because the chain couldn't be verified.  Any idea what error code 20 means here: SW2_VerifyCertificateChain()::chain could not be validated( 20 ) ? And also what error code b7 means here: SW2_RegGetValue::RegQueryValueEx(Certificate.1) FAILED: b7?

     

    As a point of comparison here is a successful attempt:

    SW2EapMethodProcess::SW2_AUTH_STATE_Server_Hello::Verifying certificate
    SW2_CertVerifyServerName()
    SW2EapMethodProcess()::verifying servername: eduroam.monash.edu.au, expecting: eduroam.monash.edu.au
    SW2_CertVerifyServerName()::found substring: eduroam.monash.edu.au
    SW2EapMethodProcess()::verifying certificate chain
    SW2_VerifyCertificateChain()
    SW2_VerifyCertificateChain()::Created pChainContext
    SW2_VerifyCertificateChain()::number of chains: 1
    SW2_VerifyCertificateChain()::number of elements: 4

    SW2_VerifyCertificateChain()::pRootCACertContext(811)

    <snip>

    TLSGetSHA1::SHA1(20)
    788D7F62 99636527 907F7DD2 B3FEC944 |x.b.ce'.}....D|
    9AFA3EF3 00000000 00000000 00000000 |..>.............|
    TLSGetSHA1::returning
    SW2_VerifyCertificateInList
    SW2_VerifyCertificateInList:: nr of ca in list: 1
    SW2_VerifyCertificateInList:: returning 0
    SW2_VerifyCertificateChain(), freeing pChainContext
    SW2_VerifyCertificateChain()::returning 0

    The only other thought is, are we hitting a bug with the SecureW2 supplicant?!  Since we don't yet have support with SecureW2, this is a little difficult to check. 

    Let me know if there are any questions / thoughts or comments - any light shed would be most appreciated.

    thanks

    Sheldon

    sabato 30 ottobre 2010 01:32