[ALL] Update the Windows certificate installer for Windows 7
[ALL] Update the Mac OS X certificate installer for Snow Leopard
[ALL] Change UI for certificate installer export to export Mac and Windows separately
[ALL] Fixed a missing table error that could cause replication failures
[ALL] Fixed a bug that could lead to incorrect EAP message fragmentation with EAP-TLS, PEAP, TTLS, and EAP-FAST
[ALL] Upgrade OpenSSL FIPS to v1.2
[MAC] Always use short name for Directory Services group membership lookup, even if user logged in with a long name
[MAC] Build against the 10.5 SDK
[WIN] Fixed an issue parsing some UNC usernames with Windows authentication
[WIN] Remove use of subauthentication DLL
[WIN] No longer strip domain when performing Active Directory machine authentication
[WIN] Build with Visual Studio 2008
[WIN] Link installer executable statically
sudo chmod 755 /usr/sbin/elektrond
- Fixed a small memory leak when using ODBC for authentication
- Fixed a bug formatting Elektron account usernames in Elektron Settings
- Fixed a bug that prevented PEAP users from successfully authenticating against an upstream RADIUS server
- Fixed a bug that prevented MAC address authentication with certain Netgear devices
- Changed the message logged when an invalid Message-Authenticator is received
- Fixed a bug that resulted in Directory Services authentication failing for users who are members of many groups
- Fixed a bug that resulted in a spurious EAP-FAST PAC logging message
- Fixed a bug that prevented EAP-FAST from successfully authenticating MS-CHAPv2 users over non-anonymous connections
- Fixed a bug that could cause a crash on Windows when running with Delay Access-Reject (an option that is disabled by default)
- Fixed a bug in the Elektron Settings application that would cause username triggers to appear incorrect after reordering policies
At the Chaos Communication Congress today, researchers presented a paper describing their technique for forging certificates to appear as if they were signed by a trusted certificate authority. How they did it, in a nutshell:
- Obtain a legitimate certificate from a certificate authority that uses MD5 in its signatures.
- Generate a fake certificate for the rogue web site, adding an extension that contains a precisely calculated string of bytes so that the MD5 digest of the fake certificate matches the MD5 digest of the legitimate certificate from step 1 (this step took the researchers about 18 hours using an array of 200 Playstation 3 systems, whose Cell processor is especially adept at performing the kinds of computations necessary).
- Copy the signature from the legitimate certificate to the fake certificate.
The upshot is that any certificate signed by an authority using MD5 is suspect. RapidSSL accounted for nearly all of the certificates that the researchers identified in their sampling, but Thawte and several others were also singled out. Beware of any web site that uses one of these certificates; even if your browser says that the certificate is valid, it may not be. (n.b., not all Thawte certificates are vulnerable; our own web site uses a Thawte certificate that was issued with a SHA-1 signature).
This presentation comes on the heels of last week's revelation that a certificate vendor has been issuing certificates with no verification. In that case, a user was able to get a certificate issued in the name of "www.mozilla.org" despite not having any affiliation with Mozilla.
And to bring this all back around to Elektron, I'll note that Elektron has always signed its certificates using SHA-1.
"That's not a feature, that's a bug!"— An attendee's reaction to Steve Jobs' announcement that Microsoft Exchange support is the one new feature in Snow Leopard
Among the fixes is "Resolves an issue with saved passwords for wireless networks." That one has been bugging me since installing Leopard. Available now via Software Update.
The release notes also include this chestnut:
In Security preferences' Firewall tab, the "Block All" option is now called "Allow Only essential services"
So "block all" apparently didn't mean "block all."
The lab rats have been busy this weekend making sure that Elektron is fully compatible with the final release of Leopard. It only took a couple of minor tweaks, and a new release is now available! You'll only need this release if you're planning on running Elektron on Leopard; if you are keeping your server on Panther or Tiger (or Windows, for that matter) your existing Elektron installation will continue to authenticate Leopard users just fine.
The biggest Leopard Wi-Fi news is the disappearance of Internet Connect. All Wi-Fi configuration now occurs in the Network preference pane inside System Preferences:
One handy new feature is the ability to store 802.1X configurations on a per-user, per-system, or Login Window basis. The per-user configuration is basically how Tiger works; per-system allows you to create a single configuration for all users on the system (that is, the 802.1X login identifies the machine rather than an individual user), and the Login Window configuration allows the user to specify a username and password at login time to connect to the network before logging in. This final configuration is important for users without local accounts.
All in all, a very nice release.