Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

2,234 bytes added, 00:16, 20 June 2017
Certificate Pinning
''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.''
===Obtaining the Certificate PinningChain=== The certificate presented by the RADIUS server is chained as such: * GlobalSign Root CA - R3 ** Trusted Root CA SHA256 G2*** Virginia Tech Global Qualified Server CA**** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====GlobalSign Root CA - R3==== ''Filename:'' GlobalSign_Root_CA_-_R3.pem ''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign]. ====Trusted Root CA SHA256 G2==== ''Filename:'' TrustedRootCASHA256G2.pem ''Subject:'' C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2 This is an intermediate certificate, again issued by GlobalSign. You can get it directly from GlobalSign [https://support.globalsign.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates here]. ====Virginia Tech Global Qualified Server CA==== ''Filename:'' VirginiaTechGlobalQualifiedServerCA.pem ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and State University, CN = Virginia Tech Global Qualified Server CA This can be obtained from the Virginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). Although certificates higher in the chain are also provided here, the page does ''not'' support https. '''''DO NOT''''' get your root CA here. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.crt
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Cracking MS-CHAPv2]</ref>, it is ''absolutely criticalSubject:'' that the RADIUS server certificate be validated properly before attempting authentication. UnfortunatelyC = US, VT has deprecated a much stronger authentication methodST = Virginia, [[EAP-TLS]]L = Blacksburg, O = Virginia Polytechnic Institute and as suchState University, network certificates are no longer an optionCN = eduroam.nis.vt.edu
Where possible, we opt This can be obtained from the [https://apps.pki.vt.edu/ca-manager/search VTCA Certificate Manager]. This requires PID login. Search for the highest level of verification "eduroam.nis.vt.edu". '''Note''': As of 2017 June 19, there will be 2 results, due to some internal testing. Download the certificate: manually pinning with the hash of the certificate we expect to be presentedserial 3699307517ED7E8B. The canonical form of the hash used by many network managers certificate with serial 7A083CC134D0303D is the SHA256 hash of the DER encoding of the certificate''incorrect''.
In order to generate ===Validating the certificate hash, [https://apps.pki.vt.edu/ca-manager/search search] for eduroam.nis.vt.edu, and download the certificate by clicking the "download" link. '''Note:''' This site is only available to Virginia Tech IPs (incluing VPN), and required PID login.===
Validate that <ol><li> Obtain ''all'' certificates in the downloaded certificate is chain ''in fact signed by PEM format'' </li><li> Concatenate the [httpnon-leaf certificates in to a single file:</li><pre>$ cat GlobalSign_Root_CA_-_R3.pem TrustedRootCASHA256G2.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem</wwwpre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pkipem eduroam.nis.vt.edu/developer/rootca.html#globalqualifiedserver Virginia Tech Global Server Qualified Server CA] chaincrteduroam.nis.vt.edu. You will first need crt: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to download ''all'' certificates above) </li><pre>$ openssl x509 -in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.file_of_cert_you_want_to_check -noout -subject</pre></ol>
It is worth noting that the Virginia Tech CA is signed by the GlobalSign - R3 CA, and the RADIUS server presents the name of "eduroam.nis.vt.edu".===Certificate Pinning===
$ cat Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/etc20160316174007/sslhttps:/certs/GlobalSign_Root_CA_-_R3www.pem TrustedRootCASHA256G2cloudcracker.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem $ openssl verify com/blog/2012/07/29/cracking-verbose ms-purpose sslserver chap-CAfile cav2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication.pem eduroamWhere possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented.nis.vt.edu.crt eduroamThe canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.nis.vt.edu.crt: OK
Then Validate the certificate (see above) then generate the sha256 hash:
$ openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
Anonymous user