SecureW2 - XP (error message: Received an invalid server certificate, please verify your certificate configuration)
Hi Guys, We use SecureW2 widely to allow client to connect to the wireless network using 802.1x. This is mainly used on XP, 7 and Vista. The backend is Radius (Radiator). Recently we renewed the certificate on our radius servers to a 1024 Thawte signed SSL Server Cert, which is essentially the same as what we had before, except Thawte have now introduced two intermediates in the chain. The chain for anyone who is interested is as follows: -------- Thawte Premium Server CA (top level root) thawte Primary Root CA (primary intermediate) thawte SSL CA (secondary intermediate) Our Signed certificate -------- Note, the SecureW2 (4.0.0.(17) for XP) supplicant used is built to verify the certificate as follows: - Verify against the "Trusted Root CA": Thawte Premium Server CA (Thumbprint 62 7f 8d 78 27 65 63 99 d2 7d 7f 90 44 c9 fe b3 f3 3e fa 9a) - Verify CN: eduroam.monash.edu.au As such, we by default don't check against the Windows local certificate trust / repository After this change, we noticed that some Windows clients (at this stage common to the XP, Vista and 7 platforms), have reported that they get the following error message when they connect to the wireless service: "Received an invalid server certificate, please verify your certificate configuration" Note, there are numerous other XP and Vista machines that do not experience this issue - from a client base of about 4000-5000, say about 200 or so experience this error message. Not to mention various linux distributions and MAC machines that work fine without any certificate verification issues. A quick fix (albeit undesirable) at this stage for us is to not verify the server certificate at all. For completeness we have verifed with Thawte (about the certificate) and Radiator (about the radiator config) and how the cerificate should be installed on the server side. Given that the server side is correct (as far as we can tell now), we're now focused on troubleshooting the client side. To this end, i have two basic questions which i'm hoping to get some clarification on, from others who may have experienced a similar issue with SecureW2 and Windows! 1. SecureW2 explicitly specifying a "Trusted Root CA" Currently as mentioned above, our SecureW2 supplicant is built to specify a "Trusted Root CA" cert of: Thawte Premium Server CA. What are people's understanding of "Trusted Root CA"? In a chained situation as we now have (after the certificate renewal), does "Trusted Root CA" refer to: a) The top level root, i.e Thawte Premium Server CA?, or b) The top level root and the intermediate certificates?, or c) Does the main config file used to build the customised SecureW2 client need to be changed to include the intermediates in the chain? While the simple case is just a single tier setup (as we used to have without intermediates), the SecureW2 documenation (http://www.securew2.com/resources/guides/ConfigurationGuide.pdf) isn't clear on this. We have done a lot of testing with both a) and b) above, with mixed results. Haven't found a pattern yet because some machines work with just Thawte Premium Server CA specified, while others require thawte Primary Root CA. So having a clear understanding of what is meant by Trusted Root CA in a chained setup is essential. 2. SecureW2 pointing directly to Windows local cert repository When pointing directly to the Windows Certificate repository. Here "verify server certificate" within the supplicant is ticked, but no certificate is explicitly specified. We find again that in some cases this works, in others it doesn't. This in theory should always work, as long as the repository is up to date. We now have a way of updating the repository after having downloaded "rootsupd". In cases where it is not working, is there a way of checking (via logs perhaps) as to what is going on? In principle one would think that a check performed by a browser to verify a certificate is no different to what the Supplicant would be doing against the local repository. ------------ Debug messages For anyone who is interested here are some debug logs in Windows\tracing\EAP-TTLS.log indicates the following when the error message is encountered. SW2EapMethodProcess::SW2_AUTH_STATE_Server_Hello::Verifying certificate SW2_CertVerifyServerName() SW2EapMethodProcess()::verifying servername: eduroam.monash.edu.au, expecting: eduroam.monash.edu.au SW2_CertVerifyServerName()::found substring: eduroam.monash.edu.au SW2EapMethodProcess()::verifying certificate chain SW2_VerifyCertificateChain() SW2_VerifyCertificateChain()::Created pChainContext SW2_VerifyCertificateChain()::chain could not be validated( 20 ) SW2_VerifyCertificateChain(), freeing pChainContext SW2_VerifyCertificateChain()::returning -2146893019 SW2EapMethodProcess::updating states <snip> SW2_ReadProfile: going to read certificates SW2_ReadCertificates: opened key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\RootCACert) SW2_ReadProfile: found cbData(20) SW2_XorData::cbDataIn: 20, cbKey: 256 SW2_ReadProfile: pbTrustedRootCAList[0] 788D7F62 99636527 907F7DD2 B3FEC944 |x.b.ce'.}....D| 9AFA3EF3 00000000 00000000 00000000 |..>.............| SW2_RegGetValue::RegQueryValueEx(Certificate.1) FAILED: b7 SW2_ReadCertificates: returning 0, found 1 certificates SW2_ReadProfile: opening key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials) SW2_ReadProfile: opened key (HKEY_LOCAL_MACHINE\SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials) SW2_ReadProfile: found cbData(512) SW2_XorData::cbDataIn: 512, cbKey: 256 SW2_ReadProfile: going to read user configuration SW2_ReadProfile: using thread token SW2_ReadProfile: FAILED to read user thread token: 1008 SW2_ReadProfile: FAILED to read user process token: 6 SW2_ReadProfile: opening key: SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials SW2_ReadProfile: dwReturnCode: 0, 6 SW2_ReadProfile: opened user key (SOFTWARE\SecureW2\SecureW2 TTLS\3.0.0\Profiles\Monash-Connect\Credentials) SW2_ReadProfile: RegQueryValueEx(PromptUser)(0): (1) SW2_ReadProfile: RegQueryValueEx(UserName)(0): () SW2_ReadProfile: UserPassword 343: SW2_XorData::cbDataIn: 512, cbKey: 256 SW2_ReadProfile: returning: 0 SW2_HandleInteractiveError(-2146893019, 5) SW2_HandleError SW2_ReportEvent( SW2EapMethodInvokeInteractiveUI Failed, 80090325 ) SW2_ReportEvent() returning SW2_HandleError:: returning SW2_HandleInteractiveError::pVoid valid SW2_HandleInteractiveError::SW2_RAS_Function_InvokeInteractiveUI::LastAuthState:1 SW2_HandleInteractiveError::(84): Received an invalid server certificate, please verify your certificate configuration <snip> As you can see above, the thumbprint of the Root CA Cert is checked, but the result is an error, because the chain couldn't be verified. Any idea what error code 20 means here: SW2_VerifyCertificateChain()::chain could not be validated( 20 ) ? And also what error code b7 means here: SW2_RegGetValue::RegQueryValueEx(Certificate.1) FAILED: b7? As a point of comparison here is a successful attempt: SW2EapMethodProcess::SW2_AUTH_STATE_Server_Hello::Verifying certificate SW2_CertVerifyServerName() SW2EapMethodProcess()::verifying servername: eduroam.monash.edu.au, expecting: eduroam.monash.edu.au SW2_CertVerifyServerName()::found substring: eduroam.monash.edu.au SW2EapMethodProcess()::verifying certificate chain SW2_VerifyCertificateChain() SW2_VerifyCertificateChain()::Created pChainContext SW2_VerifyCertificateChain()::number of chains: 1 SW2_VerifyCertificateChain()::number of elements: 4 SW2_VerifyCertificateChain()::pRootCACertContext(811) <snip> TLSGetSHA1::SHA1(20) 788D7F62 99636527 907F7DD2 B3FEC944 |x.b.ce'.}....D| 9AFA3EF3 00000000 00000000 00000000 |..>.............| TLSGetSHA1::returning SW2_VerifyCertificateInList SW2_VerifyCertificateInList:: nr of ca in list: 1 SW2_VerifyCertificateInList:: returning 0 SW2_VerifyCertificateChain(), freeing pChainContext SW2_VerifyCertificateChain()::returning 0 The only other thought is, are we hitting a bug with the SecureW2 supplicant?! Since we don't yet have support with SecureW2, this is a little difficult to check. Let me know if there are any questions / thoughts or comments - any light shed would be most appreciated. thanks Sheldon
October 29th, 2010 9:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics