|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/* |
|
4
|
|
|
* ****************************************************************************** |
|
5
|
|
|
* Copyright 2011-2017 DANTE Ltd. and GÉANT on behalf of the GN3, GN3+, GN4-1 |
|
6
|
|
|
* and GN4-2 consortia |
|
7
|
|
|
* |
|
8
|
|
|
* License: see the web/copyright.php file in the file structure |
|
9
|
|
|
* ****************************************************************************** |
|
10
|
|
|
*/ |
|
11
|
|
|
|
|
12
|
|
|
namespace core\diag; |
|
13
|
|
|
|
|
14
|
|
|
/** |
|
15
|
|
|
* base class of the various test classes. |
|
16
|
|
|
* |
|
17
|
|
|
* Its main purpose is to initialise some error messages. |
|
18
|
|
|
* |
|
19
|
|
|
* @author Stefan Winter <[email protected]> |
|
20
|
|
|
*/ |
|
21
|
|
|
class AbstractTest extends \core\common\Entity { |
|
22
|
|
|
|
|
23
|
|
|
/** |
|
24
|
|
|
* generic return codes |
|
25
|
|
|
* |
|
26
|
|
|
* @var array |
|
27
|
|
|
*/ |
|
28
|
|
|
public $returnCodes; |
|
29
|
|
|
|
|
30
|
|
|
/** |
|
31
|
|
|
* Test was executed and the result was as expected. |
|
32
|
|
|
*/ |
|
33
|
|
|
const RETVAL_OK = 0; |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* Test could not be run because CAT software isn't configured for it |
|
37
|
|
|
*/ |
|
38
|
|
|
const RETVAL_NOTCONFIGURED = -100; |
|
39
|
|
|
|
|
40
|
|
|
/** |
|
41
|
|
|
* Test skipped because there was nothing to be done |
|
42
|
|
|
*/ |
|
43
|
|
|
const RETVAL_SKIPPED = -101; |
|
44
|
|
|
|
|
45
|
|
|
/** |
|
46
|
|
|
* test executed, and there were errors |
|
47
|
|
|
*/ |
|
48
|
|
|
const RETVAL_INVALID = -103; |
|
49
|
|
|
// return codes specific to authentication checks |
|
50
|
|
|
/** |
|
51
|
|
|
* no reply at all from remote RADIUS server |
|
52
|
|
|
*/ |
|
53
|
|
|
const RETVAL_NO_RESPONSE = -106; |
|
54
|
|
|
|
|
55
|
|
|
/** |
|
56
|
|
|
* auth flow stopped somewhere in the middle of a conversation |
|
57
|
|
|
*/ |
|
58
|
|
|
const RETVAL_SERVER_UNFINISHED_COMM = -107; |
|
59
|
|
|
|
|
60
|
|
|
/** |
|
61
|
|
|
* a RADIUS server did not want to talk EAP with us, but at least replied with a Reject |
|
62
|
|
|
*/ |
|
63
|
|
|
const RETVAL_IMMEDIATE_REJECT = -108; |
|
64
|
|
|
|
|
65
|
|
|
/** |
|
66
|
|
|
* a RADIUS server talked EAP with us, but didn't like us in the end |
|
67
|
|
|
*/ |
|
68
|
|
|
const RETVAL_CONVERSATION_REJECT = -109; |
|
69
|
|
|
|
|
70
|
|
|
/** |
|
71
|
|
|
* a RADIUS server refuses connection |
|
72
|
|
|
*/ |
|
73
|
|
|
const RETVAL_CONNECTION_REFUSED = -110; |
|
74
|
|
|
|
|
75
|
|
|
/** |
|
76
|
|
|
* not enough data provided to perform an authentication |
|
77
|
|
|
*/ |
|
78
|
|
|
const RETVAL_INCOMPLETE_DATA = -111; |
|
79
|
|
|
|
|
80
|
|
|
/** |
|
81
|
|
|
* PKCS12 password does not match the certificate file |
|
82
|
|
|
*/ |
|
83
|
|
|
const RETVAL_WRONG_PKCS12_PASSWORD = -112; |
|
84
|
|
|
// certificate property errors |
|
85
|
|
|
/** |
|
86
|
|
|
* The root CA certificate was sent by the EAP server. |
|
87
|
|
|
*/ |
|
88
|
|
|
const CERTPROB_ROOT_INCLUDED = -200; |
|
89
|
|
|
|
|
90
|
|
|
/** |
|
91
|
|
|
* There was more than one server certificate in the EAP server's chain. |
|
92
|
|
|
*/ |
|
93
|
|
|
const CERTPROB_TOO_MANY_SERVER_CERTS = -201; |
|
94
|
|
|
|
|
95
|
|
|
/** |
|
96
|
|
|
* There was no server certificate in the EAP server's chain. |
|
97
|
|
|
*/ |
|
98
|
|
|
const CERTPROB_NO_SERVER_CERT = -202; |
|
99
|
|
|
|
|
100
|
|
|
/** |
|
101
|
|
|
* The/a server certificate was signed with an MD5 signature. |
|
102
|
|
|
*/ |
|
103
|
|
|
const CERTPROB_MD5_SIGNATURE = -204; |
|
104
|
|
|
|
|
105
|
|
|
/** |
|
106
|
|
|
* The/a server certificate was signed with an MD5 signature. |
|
107
|
|
|
*/ |
|
108
|
|
|
const CERTPROB_SHA1_SIGNATURE = -227; |
|
109
|
|
|
|
|
110
|
|
|
/** |
|
111
|
|
|
* one of the keys in the cert chain was smaller than 1024 bits |
|
112
|
|
|
*/ |
|
113
|
|
|
const CERTPROB_LOW_KEY_LENGTH = -220; |
|
114
|
|
|
|
|
115
|
|
|
/** |
|
116
|
|
|
* The server certificate did not contain the TLS Web Server OID, creating compat problems with many Windows versions. |
|
117
|
|
|
*/ |
|
118
|
|
|
const CERTPROB_NO_TLS_WEBSERVER_OID = -205; |
|
119
|
|
|
|
|
120
|
|
|
/** |
|
121
|
|
|
* The server certificate did not include a CRL Distribution Point, creating compat problems with Windows Phone 8. |
|
122
|
|
|
*/ |
|
123
|
|
|
const CERTPROB_NO_CDP = -206; |
|
124
|
|
|
|
|
125
|
|
|
/** |
|
126
|
|
|
* The server certificate did a CRL Distribution Point, but not to a HTTP/HTTPS URL. Possible compat problems. |
|
127
|
|
|
*/ |
|
128
|
|
|
const CERTPROB_NO_CDP_HTTP = -207; |
|
129
|
|
|
|
|
130
|
|
|
/** |
|
131
|
|
|
* The server certificate's CRL Distribution Point URL couldn't be accessed and/or did not contain a CRL. |
|
132
|
|
|
*/ |
|
133
|
|
|
const CERTPROB_NO_CRL_AT_CDP_URL = -208; |
|
134
|
|
|
|
|
135
|
|
|
/** |
|
136
|
|
|
* certificate is not currently valid (expired/not yet valid) |
|
137
|
|
|
*/ |
|
138
|
|
|
const CERTPROB_SERVER_CERT_REVOKED = -222; |
|
139
|
|
|
|
|
140
|
|
|
/** |
|
141
|
|
|
* The received server certificate is revoked. |
|
142
|
|
|
*/ |
|
143
|
|
|
const CERTPROB_OUTSIDE_VALIDITY_PERIOD = -221; |
|
144
|
|
|
|
|
145
|
|
|
/** |
|
146
|
|
|
* At least one certificate is outside its validity period (not yet valid, or already expired)! |
|
147
|
|
|
*/ |
|
148
|
|
|
const CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN = -225; |
|
149
|
|
|
|
|
150
|
|
|
/** |
|
151
|
|
|
* At least one certificate is outside its validity period, but this certificate does not take part in servder validation |
|
152
|
|
|
*/ |
|
153
|
|
|
const CERTPROB_TRUST_ROOT_NOT_REACHED = -209; |
|
154
|
|
|
|
|
155
|
|
|
/** |
|
156
|
|
|
* The received certificate chain did not carry the necessary intermediate CAs in the EAP conversation. Only the CAT Intermediate CA installation can complete the chain. |
|
157
|
|
|
*/ |
|
158
|
|
|
const CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES = -216; |
|
159
|
|
|
|
|
160
|
|
|
/** |
|
161
|
|
|
* The received server certificate's name did not match the configured name in the profile properties. |
|
162
|
|
|
*/ |
|
163
|
|
|
const CERTPROB_SERVER_NAME_MISMATCH = -210; |
|
164
|
|
|
|
|
165
|
|
|
/** |
|
166
|
|
|
* The received server certificate's name did not match the configured name in the profile properties. |
|
167
|
|
|
*/ |
|
168
|
|
|
const CERTPROB_SERVER_NAME_PARTIAL_MATCH = -217; |
|
169
|
|
|
|
|
170
|
|
|
/** |
|
171
|
|
|
* One of the names in the cert was not a hostname. |
|
172
|
|
|
*/ |
|
173
|
|
|
const CERTPROB_NOT_A_HOSTNAME = -218; |
|
174
|
|
|
|
|
175
|
|
|
/** |
|
176
|
|
|
* One of the names contained a wildcard character. |
|
177
|
|
|
*/ |
|
178
|
|
|
const CERTPROB_WILDCARD_IN_NAME = -219; |
|
179
|
|
|
|
|
180
|
|
|
/** |
|
181
|
|
|
* The certificate does not set any BasicConstraints; particularly no CA = TRUE|FALSE |
|
182
|
|
|
*/ |
|
183
|
|
|
const CERTPROB_NO_BASICCONSTRAINTS = -211; |
|
184
|
|
|
|
|
185
|
|
|
/** |
|
186
|
|
|
* The server presented a certificate which is from an unknown authority |
|
187
|
|
|
*/ |
|
188
|
|
|
const CERTPROB_UNKNOWN_CA = -212; |
|
189
|
|
|
|
|
190
|
|
|
/** |
|
191
|
|
|
* The server accepted this client certificate, but should not have |
|
192
|
|
|
*/ |
|
193
|
|
|
const CERTPROB_WRONGLY_ACCEPTED = -213; |
|
194
|
|
|
|
|
195
|
|
|
/** |
|
196
|
|
|
* The server does not accept this client certificate, but should have |
|
197
|
|
|
*/ |
|
198
|
|
|
const CERTPROB_WRONGLY_NOT_ACCEPTED = -214; |
|
199
|
|
|
|
|
200
|
|
|
/** |
|
201
|
|
|
* The server does accept this client certificate |
|
202
|
|
|
*/ |
|
203
|
|
|
const CERTPROB_NOT_ACCEPTED = -215; |
|
204
|
|
|
|
|
205
|
|
|
/** |
|
206
|
|
|
* the CRL of a certificate could not be found |
|
207
|
|
|
*/ |
|
208
|
|
|
const CERTPROB_UNABLE_TO_GET_CRL = 223; |
|
209
|
|
|
|
|
210
|
|
|
/** |
|
211
|
|
|
* no EAP method could be agreed on, certs could not be extraced |
|
212
|
|
|
*/ |
|
213
|
|
|
const CERTPROB_NO_COMMON_EAP_METHOD = -224; |
|
214
|
|
|
|
|
215
|
|
|
/** |
|
216
|
|
|
* Diffie-Hellman groups need to be 1024 bit at least, starting with OS X 10.11 |
|
217
|
|
|
*/ |
|
218
|
|
|
const CERTPROB_DH_GROUP_TOO_SMALL = -225; |
|
219
|
|
|
|
|
220
|
|
|
/** |
|
221
|
|
|
* There is more than one CN in the certificate |
|
222
|
|
|
*/ |
|
223
|
|
|
const CERTPROB_MULTIPLE_CN = -226; |
|
224
|
|
|
|
|
225
|
|
|
/** |
|
226
|
|
|
* initialises the error messages. |
|
227
|
|
|
*/ |
|
228
|
|
|
public function __construct() { |
|
229
|
|
|
parent::__construct(); |
|
230
|
|
|
|
|
231
|
|
|
// the numbers are NOT constant - in the course of checks, we may find a "smoking gun" and elevate the probability |
|
232
|
|
|
// in the end, use the numbers of those elements which were not deterministically excluded and normalise to 1 |
|
233
|
|
|
// to get a percentage to report on. |
|
234
|
|
|
|
|
235
|
|
|
$this->possibleFailureReasons = [ |
|
236
|
|
|
Telepath::INFRA_ETLR => 0.01, |
|
237
|
|
|
Telepath::INFRA_LINK_ETLR_NRO_IDP => 0.01, |
|
238
|
|
|
Telepath::INFRA_LINK_ETLR_NRO_SP => 0.01, |
|
239
|
|
|
Telepath::INFRA_NRO_SP => 0.02, |
|
240
|
|
|
Telepath::INFRA_NRO_IDP => 0.02, |
|
241
|
|
|
Telepath::INFRA_SP_RADIUS => 0.04, |
|
242
|
|
|
Telepath::INFRA_IDP_RADIUS => 0.04, |
|
243
|
|
|
Telepath::INFRA_IDP_AUTHBACKEND => 0.02, |
|
244
|
|
|
Telepath::INFRA_SP_80211 => 0.05, |
|
245
|
|
|
Telepath::INFRA_SP_LAN => 0.05, |
|
246
|
|
|
Telepath::INFRA_DEVICE => 0.3, |
|
247
|
|
|
Telepath::INFRA_NONEXISTENTREALM => 0.7, |
|
248
|
|
|
]; |
|
249
|
|
|
|
|
250
|
|
|
$oldlocale = $this->languageInstance->setTextDomain('diagnostics'); |
|
251
|
|
|
$this->returnCodes = []; |
|
252
|
|
|
/** |
|
253
|
|
|
* Test was executed and the result was as expected. |
|
254
|
|
|
*/ |
|
255
|
|
|
$code1 = RADIUSTests::RETVAL_OK; |
|
256
|
|
|
$this->returnCodes[$code1]["message"] = _("Completed"); |
|
257
|
|
|
$this->returnCodes[$code1]["severity"] = \core\common\Entity::L_OK; |
|
258
|
|
|
|
|
259
|
|
|
/** |
|
260
|
|
|
* Test could not be run because CAT software isn't configured for it |
|
261
|
|
|
*/ |
|
262
|
|
|
$code2 = RADIUSTests::RETVAL_NOTCONFIGURED; |
|
263
|
|
|
$this->returnCodes[$code2]["message"] = _("Product is not configured to run this check."); |
|
264
|
|
|
$this->returnCodes[$code2]["severity"] = \core\common\Entity::L_OK; |
|
265
|
|
|
/** |
|
266
|
|
|
* Test skipped because there was nothing to be done |
|
267
|
|
|
*/ |
|
268
|
|
|
$code3 = RADIUSTests::RETVAL_SKIPPED; |
|
269
|
|
|
$this->returnCodes[$code3]["message"] = _("This check was skipped."); |
|
270
|
|
|
$this->returnCodes[$code3]["severity"] = \core\common\Entity::L_OK; |
|
271
|
|
|
|
|
272
|
|
|
/** |
|
273
|
|
|
* test executed, and there were errors |
|
274
|
|
|
*/ |
|
275
|
|
|
$code4 = RADIUSTests::RETVAL_INVALID; |
|
276
|
|
|
$this->returnCodes[$code4]["message"] = _("There were errors during the test."); |
|
277
|
|
|
$this->returnCodes[$code4]["severity"] = \core\common\Entity::L_OK; |
|
278
|
|
|
|
|
279
|
|
|
// return codes specific to authentication checks |
|
280
|
|
|
/** |
|
281
|
|
|
* no reply at all from remote RADIUS server |
|
282
|
|
|
*/ |
|
283
|
|
|
$code7 = RADIUSTests::RETVAL_NO_RESPONSE; |
|
284
|
|
|
$this->returnCodes[$code7]["message"] = _("There was no reply at all from the RADIUS server."); |
|
285
|
|
|
$this->returnCodes[$code7]["severity"] = \core\common\Entity::L_ERROR; |
|
286
|
|
|
|
|
287
|
|
|
/** |
|
288
|
|
|
* auth flow stopped somewhere in the middle of a conversation |
|
289
|
|
|
*/ |
|
290
|
|
|
$code8 = RADIUSTests::RETVAL_SERVER_UNFINISHED_COMM; |
|
291
|
|
|
$this->returnCodes[$code8]["message"] = _("There was a bidirectional communication with the RADIUS server, but it ended halfway through."); |
|
292
|
|
|
$this->returnCodes[$code8]["severity"] = \core\common\Entity::L_ERROR; |
|
293
|
|
|
|
|
294
|
|
|
/** |
|
295
|
|
|
* a RADIUS server did not want to talk EAP with us, but at least replied with a Reject |
|
296
|
|
|
*/ |
|
297
|
|
|
$code9 = RADIUSTests::RETVAL_IMMEDIATE_REJECT; |
|
298
|
|
|
$this->returnCodes[$code9]["message"] = _("The RADIUS server immediately rejected the authentication request in its first reply."); |
|
299
|
|
|
$this->returnCodes[$code9]["severity"] = \core\common\Entity::L_WARN; |
|
300
|
|
|
|
|
301
|
|
|
/** |
|
302
|
|
|
* a RADIUS server talked EAP with us, but didn't like us in the end |
|
303
|
|
|
*/ |
|
304
|
|
|
$code10 = RADIUSTests::RETVAL_CONVERSATION_REJECT; |
|
305
|
|
|
$this->returnCodes[$code10]["message"] = _("The RADIUS server rejected the authentication request after an EAP conversation."); |
|
306
|
|
|
$this->returnCodes[$code10]["severity"] = \core\common\Entity::L_WARN; |
|
307
|
|
|
|
|
308
|
|
|
/** |
|
309
|
|
|
* a RADIUS server refuses connection |
|
310
|
|
|
*/ |
|
311
|
|
|
$code11 = RADIUSTests::RETVAL_CONNECTION_REFUSED; |
|
312
|
|
|
$this->returnCodes[$code11]["message"] = _("Connection refused"); |
|
313
|
|
|
$this->returnCodes[$code11]["severity"] = \core\common\Entity::L_ERROR; |
|
314
|
|
|
|
|
315
|
|
|
/** |
|
316
|
|
|
* not enough data provided to perform an authentication |
|
317
|
|
|
*/ |
|
318
|
|
|
$code12 = RADIUSTests::RETVAL_INCOMPLETE_DATA; |
|
319
|
|
|
$this->returnCodes[$code12]["message"] = _("Not enough data provided to perform an authentication"); |
|
320
|
|
|
$this->returnCodes[$code12]["severity"] = \core\common\Entity::L_ERROR; |
|
321
|
|
|
|
|
322
|
|
|
/** |
|
323
|
|
|
* PKCS12 password does not match the certificate file |
|
324
|
|
|
*/ |
|
325
|
|
|
$code13 = RADIUSTests::RETVAL_WRONG_PKCS12_PASSWORD; |
|
326
|
|
|
$this->returnCodes[$code13]["message"] = _("The certificate password you provided does not match the certificate file."); |
|
327
|
|
|
$this->returnCodes[$code13]["severity"] = \core\common\Entity::L_ERROR; |
|
328
|
|
|
|
|
329
|
|
|
// certificate property errors |
|
330
|
|
|
/** |
|
331
|
|
|
* The root CA certificate was sent by the EAP server. |
|
332
|
|
|
*/ |
|
333
|
|
|
$code14 = RADIUSTests::CERTPROB_ROOT_INCLUDED; |
|
334
|
|
|
$this->returnCodes[$code14]["message"] = _("The certificate chain includes the root CA certificate. This does not serve any useful purpose but inflates the packet exchange, possibly leading to more round-trips and thus slower authentication."); |
|
335
|
|
|
$this->returnCodes[$code14]["severity"] = \core\common\Entity::L_REMARK; |
|
336
|
|
|
|
|
337
|
|
|
/** |
|
338
|
|
|
* There was more than one server certificate in the EAP server's chain. |
|
339
|
|
|
*/ |
|
340
|
|
|
$code15 = RADIUSTests::CERTPROB_TOO_MANY_SERVER_CERTS; |
|
341
|
|
|
$this->returnCodes[$code15]["message"] = _("There is more than one server certificate in the chain."); |
|
342
|
|
|
$this->returnCodes[$code15]["severity"] = \core\common\Entity::L_REMARK; |
|
343
|
|
|
|
|
344
|
|
|
/** |
|
345
|
|
|
* There was no server certificate in the EAP server's chain. |
|
346
|
|
|
*/ |
|
347
|
|
|
$code16 = RADIUSTests::CERTPROB_NO_SERVER_CERT; |
|
348
|
|
|
$this->returnCodes[$code16]["message"] = _("There is no server certificate in the chain."); |
|
349
|
|
|
$this->returnCodes[$code16]["severity"] = \core\common\Entity::L_WARN; |
|
350
|
|
|
|
|
351
|
|
|
/** |
|
352
|
|
|
* A certificate was signed with an MD5 signature. |
|
353
|
|
|
*/ |
|
354
|
|
|
$code17 = RADIUSTests::CERTPROB_MD5_SIGNATURE; |
|
355
|
|
|
$this->returnCodes[$code17]["message"] = _("At least one certificate in the chain is signed with the MD5 signature algorithm. Many Operating Systems, including Apple iOS, will fail to validate this certificate."); |
|
356
|
|
|
$this->returnCodes[$code17]["severity"] = \core\common\Entity::L_WARN; |
|
357
|
|
|
|
|
358
|
|
|
/** |
|
359
|
|
|
* A certificate was signed with an SHA1 signature. |
|
360
|
|
|
*/ |
|
361
|
|
|
$code17a = RADIUSTests::CERTPROB_SHA1_SIGNATURE; |
|
362
|
|
|
$this->returnCodes[$code17a]["message"] = _("At least one certificate in the chain is signed with the SHA-1 signature algorithm. Many Operating Systems, including Apple iOS, will fail to validate this certificate."); |
|
363
|
|
|
$this->returnCodes[$code17a]["severity"] = \core\common\Entity::L_WARN; |
|
364
|
|
|
|
|
365
|
|
|
/** |
|
366
|
|
|
* Low public key length (<1024) |
|
367
|
|
|
*/ |
|
368
|
|
|
$code18 = RADIUSTests::CERTPROB_LOW_KEY_LENGTH; |
|
369
|
|
|
$this->returnCodes[$code18]["message"] = _("At least one certificate in the chain had a public key of less than 1024 bits. Many recent operating systems consider this unacceptable and will fail to validate the server certificate."); |
|
370
|
|
|
$this->returnCodes[$code18]["severity"] = \core\common\Entity::L_WARN; |
|
371
|
|
|
|
|
372
|
|
|
/** |
|
373
|
|
|
* The server certificate did not contain the TLS Web Server OID, creating compat problems with many Windows versions. |
|
374
|
|
|
*/ |
|
375
|
|
|
$code19 = RADIUSTests::CERTPROB_NO_TLS_WEBSERVER_OID; |
|
376
|
|
|
$this->returnCodes[$code19]["message"] = _("The server certificate does not have the extension 'extendedKeyUsage: TLS Web Server Authentication'. Most Microsoft Operating Systems will fail to validate this certificate."); |
|
377
|
|
|
$this->returnCodes[$code19]["severity"] = \core\common\Entity::L_WARN; |
|
378
|
|
|
|
|
379
|
|
|
/** |
|
380
|
|
|
* The server certificate did not include a CRL Distribution Point, creating compat problems with Windows Phone 8. |
|
381
|
|
|
*/ |
|
382
|
|
|
$code20 = RADIUSTests::CERTPROB_NO_CDP; |
|
383
|
|
|
$this->returnCodes[$code20]["message"] = _("The server certificate did not include a CRL Distribution Point, creating compatibility problems with Windows Phone 8."); |
|
384
|
|
|
$this->returnCodes[$code20]["severity"] = \core\common\Entity::L_REMARK; |
|
385
|
|
|
|
|
386
|
|
|
/** |
|
387
|
|
|
* The server certificate did a CRL Distribution Point, but not to a HTTP/HTTPS URL. Possible compat problems. |
|
388
|
|
|
*/ |
|
389
|
|
|
$code21 = RADIUSTests::CERTPROB_NO_CDP_HTTP; |
|
390
|
|
|
$this->returnCodes[$code21]["message"] = _("The server certificate's 'CRL Distribution Point' extension does not point to an HTTP/HTTPS URL. Some Operating Systems may fail to validate this certificate. Checking server certificate validity against a CRL will not be possible."); |
|
391
|
|
|
$this->returnCodes[$code21]["severity"] = \core\common\Entity::L_WARN; |
|
392
|
|
|
|
|
393
|
|
|
/** |
|
394
|
|
|
* The server certificate's CRL Distribution Point URL couldn't be accessed and/or did not contain a CRL. |
|
395
|
|
|
*/ |
|
396
|
|
|
$code22 = RADIUSTests::CERTPROB_NO_CRL_AT_CDP_URL; |
|
397
|
|
|
$this->returnCodes[$code22]["message"] = _("The extension 'CRL Distribution Point' in the server certificate points to a non-existing location. Some Operating Systems check certificate validity by consulting the CRL and will fail to validate the certificate. Checking server certificate validity against a CRL will not be possible."); |
|
398
|
|
|
$this->returnCodes[$code22]["severity"] = \core\common\Entity::L_ERROR; |
|
399
|
|
|
|
|
400
|
|
|
/** |
|
401
|
|
|
* The server certificate has been revoked by its CA. |
|
402
|
|
|
*/ |
|
403
|
|
|
$code23 = RADIUSTests::CERTPROB_SERVER_CERT_REVOKED; |
|
404
|
|
|
$this->returnCodes[$code23]["message"] = _("The server certificate was revoked by the CA!"); |
|
405
|
|
|
$this->returnCodes[$code23]["severity"] = \core\common\Entity::L_ERROR; |
|
406
|
|
|
|
|
407
|
|
|
/** |
|
408
|
|
|
* The server certificate's names contained at least which was not a hostname. |
|
409
|
|
|
*/ |
|
410
|
|
|
$code24 = RADIUSTests::CERTPROB_NOT_A_HOSTNAME; |
|
411
|
|
|
$this->returnCodes[$code24]["message"] = _("The certificate contained a CN or subjectAltName:DNS which does not parse as a hostname. This can be problematic on some supplicants. If the certificate also contains names which are a proper hostname, and you only use those for your supplicant configuration, then you can safely ignore this notice."); |
|
412
|
|
|
$this->returnCodes[$code24]["severity"] = \core\common\Entity::L_REMARK; |
|
413
|
|
|
|
|
414
|
|
|
/** |
|
415
|
|
|
* The server certificate's names contained at least one wildcard name. |
|
416
|
|
|
*/ |
|
417
|
|
|
$code25 = RADIUSTests::CERTPROB_WILDCARD_IN_NAME; |
|
418
|
|
|
$this->returnCodes[$code25]["message"] = _("The certificate contained a CN or subjectAltName:DNS which contains a wildcard ('*'). This can be problematic on some supplicants. If the certificate also contains names which are wildcardless, and you only use those for your supplicant configuration, then you can safely ignore this notice."); |
|
419
|
|
|
$this->returnCodes[$code25]["severity"] = \core\common\Entity::L_REMARK; |
|
420
|
|
|
|
|
421
|
|
|
/** |
|
422
|
|
|
* cert is not yet, or not any more, valid |
|
423
|
|
|
*/ |
|
424
|
|
|
$code26 = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD; |
|
425
|
|
|
$this->returnCodes[$code26]["message"] = _("At least one certificate is outside its validity period (not yet valid, or already expired)!"); |
|
426
|
|
|
$this->returnCodes[$code26]["severity"] = \core\common\Entity::L_ERROR; |
|
427
|
|
|
|
|
428
|
|
|
/** |
|
429
|
|
|
* cert is not yet, or not any more, valid but is not taking part in server validation |
|
430
|
|
|
*/ |
|
431
|
|
|
$code27 = RADIUSTests::CERTPROB_OUTSIDE_VALIDITY_PERIOD_WARN; |
|
432
|
|
|
$this->returnCodes[$code27]["message"] = sprintf(_("At least one intermediate certificate in your CAT profile is outside its validity period (not yet valid, or already expired), but this certificate was not used for server validation. Consider removing it from your %s configuration."), CONFIG['APPEARANCE']['productname']); |
|
433
|
|
|
$this->returnCodes[$code27]["severity"] = \core\common\Entity::L_REMARK; |
|
434
|
|
|
|
|
435
|
|
|
/** |
|
436
|
|
|
* The received certificate chain did not end in any of the trust roots configured in the profile properties. |
|
437
|
|
|
*/ |
|
438
|
|
|
$code28 = RADIUSTests::CERTPROB_TRUST_ROOT_NOT_REACHED; |
|
439
|
|
|
$this->returnCodes[$code28]["message"] = _("The server certificate could not be verified to the root CA you configured in your profile!"); |
|
440
|
|
|
$this->returnCodes[$code28]["severity"] = \core\common\Entity::L_ERROR; |
|
441
|
|
|
|
|
442
|
|
|
$code29 = RADIUSTests::CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES; |
|
443
|
|
|
$this->returnCodes[$code29]["message"] = _("The certificate chain as received in EAP was not sufficient to verify the certificate to the root CA in your profile. It was verified using the intermediate CAs in your profile though. You should consider sending the required intermediate CAs inside the EAP conversation."); |
|
444
|
|
|
$this->returnCodes[$code29]["severity"] = \core\common\Entity::L_REMARK; |
|
445
|
|
|
/** |
|
446
|
|
|
* The received server certificate's name did not match the configured name in the profile properties. |
|
447
|
|
|
*/ |
|
448
|
|
|
$code30 = RADIUSTests::CERTPROB_SERVER_NAME_MISMATCH; |
|
449
|
|
|
$this->returnCodes[$code30]["message"] = _("The EAP server name does not match any of the configured names in your profile!"); |
|
450
|
|
|
$this->returnCodes[$code30]["severity"] = \core\common\Entity::L_ERROR; |
|
451
|
|
|
|
|
452
|
|
|
/** |
|
453
|
|
|
* The received server certificate's name only matched either CN or subjectAltName, but not both |
|
454
|
|
|
*/ |
|
455
|
|
|
$code31 = RADIUSTests::CERTPROB_SERVER_NAME_PARTIAL_MATCH; |
|
456
|
|
|
$this->returnCodes[$code31]["message"] = _("The configured EAP server name matches either the CN or a subjectAltName:DNS of the incoming certificate; best current practice is that the certificate should contain the name in BOTH places."); |
|
457
|
|
|
$this->returnCodes[$code31]["severity"] = \core\common\Entity::L_REMARK; |
|
458
|
|
|
|
|
459
|
|
|
/** |
|
460
|
|
|
* The certificate does not set any BasicConstraints; particularly no CA = TRUE|FALSE |
|
461
|
|
|
*/ |
|
462
|
|
|
$code32 = RADIUSTests::CERTPROB_NO_BASICCONSTRAINTS; |
|
463
|
|
|
$this->returnCodes[$code32]["message"] = _("At least one certificate did not contain any BasicConstraints extension; which makes it unclear if it's a CA certificate or end-entity certificate. At least Mac OS X 10.8 (Mountain Lion) will not validate this certificate for EAP purposes!"); |
|
464
|
|
|
$this->returnCodes[$code32]["severity"] = \core\common\Entity::L_WARN; |
|
465
|
|
|
|
|
466
|
|
|
/** |
|
467
|
|
|
* The server presented a certificate which is from an unknown authority |
|
468
|
|
|
*/ |
|
469
|
|
|
$code33 = RADIUSTests::CERTPROB_UNKNOWN_CA; |
|
470
|
|
|
$this->returnCodes[$code33]["message"] = _("The server presented a certificate from an unknown authority."); |
|
471
|
|
|
$this->returnCodes[$code33]["severity"] = \core\common\Entity::L_ERROR; |
|
472
|
|
|
|
|
473
|
|
|
/** |
|
474
|
|
|
* The server accepted this client certificate, but should not have |
|
475
|
|
|
*/ |
|
476
|
|
|
$code34 = RADIUSTests::CERTPROB_WRONGLY_ACCEPTED; |
|
477
|
|
|
$this->returnCodes[$code34]["message"] = _("The server accepted the INVALID client certificate."); |
|
478
|
|
|
$this->returnCodes[$code34]["severity"] = \core\common\Entity::L_ERROR; |
|
479
|
|
|
|
|
480
|
|
|
/** |
|
481
|
|
|
* The server does not accept this client certificate, but should have |
|
482
|
|
|
*/ |
|
483
|
|
|
$code35 = RADIUSTests::CERTPROB_WRONGLY_NOT_ACCEPTED; |
|
484
|
|
|
$this->returnCodes[$code35]["message"] = _("The server rejected the client certificate, even though it was valid."); |
|
485
|
|
|
$this->returnCodes[$code35]["severity"] = \core\common\Entity::L_ERROR; |
|
486
|
|
|
|
|
487
|
|
|
/** |
|
488
|
|
|
* The server does not accept this client certificate |
|
489
|
|
|
*/ |
|
490
|
|
|
$code36 = RADIUSTests::CERTPROB_NOT_ACCEPTED; |
|
491
|
|
|
$this->returnCodes[$code36]["message"] = _("The server rejected the client certificate as expected."); |
|
492
|
|
|
$this->returnCodes[$code36]["severity"] = \core\common\Entity::L_OK; |
|
493
|
|
|
|
|
494
|
|
|
/** |
|
495
|
|
|
* the CRL of a certificate could not be found |
|
496
|
|
|
*/ |
|
497
|
|
|
$code37 = RADIUSTests::CERTPROB_UNABLE_TO_GET_CRL; |
|
498
|
|
|
$this->returnCodes[$code37]["message"] = _("The CRL of a certificate could not be found."); |
|
499
|
|
|
$this->returnCodes[$code37]["severity"] = \core\common\Entity::L_ERROR; |
|
500
|
|
|
|
|
501
|
|
|
/** |
|
502
|
|
|
* the CRL of a certificate could not be found |
|
503
|
|
|
*/ |
|
504
|
|
|
$code38 = RADIUSTests::CERTPROB_NO_COMMON_EAP_METHOD; |
|
505
|
|
|
$this->returnCodes[$code38]["message"] = _("EAP method negotiation failed!"); |
|
506
|
|
|
$this->returnCodes[$code38]["severity"] = \core\common\Entity::L_ERROR; |
|
507
|
|
|
|
|
508
|
|
|
/** |
|
509
|
|
|
* DH group too small |
|
510
|
|
|
*/ |
|
511
|
|
|
$code39 = RADIUSTests::CERTPROB_DH_GROUP_TOO_SMALL; |
|
512
|
|
|
$this->returnCodes[$code39]["message"] = _("The server offers Diffie-Hellman (DH) ciphers with a DH group smaller than 1024 bit. Mac OS X 10.11 'El Capitan' is known to refuse TLS connections under these circumstances!"); |
|
513
|
|
|
$this->returnCodes[$code39]["severity"] = \core\common\Entity::L_WARN; |
|
514
|
|
|
|
|
515
|
|
|
/** |
|
516
|
|
|
* The server certificate's names contained at least which was not a hostname. |
|
517
|
|
|
*/ |
|
518
|
|
|
$code40 = RADIUSTests::CERTPROB_MULTIPLE_CN; |
|
519
|
|
|
$this->returnCodes[$code40]["message"] = _("The certificate contains more than one CommonName (CN) field. This is reportedly problematic on many supplicants."); |
|
520
|
|
|
$this->returnCodes[$code40]["severity"] = \core\common\Entity::L_WARN; |
|
521
|
|
|
|
|
522
|
|
|
$this->languageInstance->setTextDomain($oldlocale); |
|
523
|
|
|
} |
|
524
|
|
|
|
|
525
|
|
|
/** |
|
526
|
|
|
* turns $this->possibleFailureReasons into something where the sum of all |
|
527
|
|
|
* occurence factors is 1. A bit like a probability distribution, but they |
|
528
|
|
|
* are not actual probabilities. |
|
529
|
|
|
*/ |
|
530
|
|
|
protected function normaliseResultSet() { |
|
531
|
|
|
// done. return both the list of possible problem sources with their occurence rating, and the additional findings we collected along the way. |
|
532
|
|
|
$totalScores = 0.; |
|
533
|
|
|
foreach ($this->possibleFailureReasons as $oneReason => $oneOccurence) { |
|
534
|
|
|
$totalScores += $oneOccurence; |
|
535
|
|
|
} |
|
536
|
|
|
$probArray = []; |
|
537
|
|
|
foreach ($this->possibleFailureReasons as $oneReason => $oneOccurence) { |
|
538
|
|
|
$probArray[$oneReason] = $oneOccurence / $totalScores; |
|
539
|
|
|
} |
|
540
|
|
|
arsort($probArray); |
|
541
|
|
|
$this->possibleFailureReasons = $probArray; |
|
542
|
|
|
} |
|
543
|
|
|
|
|
544
|
|
|
// list of elements of the infrastructure which could be broken |
|
545
|
|
|
// along with their occurence probability (guesswork!) |
|
546
|
|
|
const INFRA_ETLR = "INFRA_ETLR"; |
|
547
|
|
|
const INFRA_LINK_ETLR_NRO_IDP = "INFRA_LINK_ETLR_NRO_IdP"; |
|
548
|
|
|
const INFRA_LINK_ETLR_NRO_SP = "INFRA_LINK_ETLR_NRO_SP"; |
|
549
|
|
|
const INFRA_NRO_SP = "INFRA_NRO_SP"; |
|
550
|
|
|
const INFRA_NRO_IDP = "INFRA_NRO_IdP"; |
|
551
|
|
|
const INFRA_SP_RADIUS = "INFRA_SP_RADIUS"; |
|
552
|
|
|
const INFRA_IDP_RADIUS = "INFRA_IdP_RADIUS"; |
|
553
|
|
|
const INFRA_IDP_AUTHBACKEND = "INFRA_IDP_AUTHBACKEND"; |
|
554
|
|
|
const INFRA_SP_80211 = "INFRA_SP_80211"; |
|
555
|
|
|
const INFRA_SP_LAN = "INFRA_SP_LAN"; |
|
556
|
|
|
const INFRA_DEVICE = "INFRA_DEVICE"; |
|
557
|
|
|
const INFRA_NONEXISTENTREALM = "INFRA_NONEXISTENTREALM"; |
|
558
|
|
|
|
|
559
|
|
|
// statuses derived from Monitoring API |
|
560
|
|
|
|
|
561
|
|
|
const STATUS_GOOD = 0; |
|
562
|
|
|
const STATUS_PARTIAL = -1; |
|
563
|
|
|
const STATUS_DOWN = -2; |
|
564
|
|
|
const STATUS_MONITORINGFAIL = -3; |
|
565
|
|
|
|
|
566
|
|
|
|
|
567
|
|
|
public $possibleFailureReasons; |
|
568
|
|
|
|
|
569
|
|
|
} |
|
570
|
|
|
|
GEANT /
CAT
