[pilotmike]

We check status with RIM every couple of weeks, but so far no information that this fix is into a production build yet.

If you are working with BlackBerry support on an issue similar to this, ask them to refer to software tracking number SDR153670. This is their internal defect id that the developers are writing their fix against. If we get enough people pushing on them for this fix, maybe it will help speed things along.

I'll share any non "NDA" (Non Disclosure Agreement) information I get with the group in this thread.

[pilotmike]

We got word from RIM last week that this issue has been fixed. Due to NDAs with the carriers RIM can not disclose to us the exact release numbers that contain the fix, however, the engineer indicated it was fixed in both 4.2 and 4.3 code.

It typically takes 2-3 months for the carriers to do their internal testing, so cross your fingers and hope for a software release coming soon containing this fix.

[bajjisw]

hmmm. This is still listed as unresolved on the bb website.

PEAP fails with Verisign CA certificates

[pilotmike]

RIM has told us this is fixed in the next version(s) of software that has been released to the carriers for their certification process. In addition, they have told us they will not mark it as resolved in their knowledge base until the fix is publically available.

RIM's escalation team has assured us that this will be fixed in a maintenance release of the 4.2 OS as well as the 4.5 (formally known as 4.3) release.
We won’t know until we see the software, but like the rest of the world, we are anxious to get our hands on the 4.5 OS. Rest assured we’ll be testing this first thing when it is released.

If anyone experiencing this issue gets their hands on a beta release of this code, please report any findings.

[John Clark]

We haven't seen any thing newer than .184 for 4.2 in ages.

[mkp]

Quote:

Originally Posted by pilotmike

We got word from RIM last week that this issue has been fixed.

I suspect I am experiencing a similar issue with an md2 certificate my university uses on its Wi-Fi network (PEAP/EAP-MS-CHAP v2). The certificate is "Secure Server Certification Authority, RSA Data Security, Inc., US", and should already be on most Windows computers. The SHA1 thumbprint starts "44 63 C5 31 ...".

Anyway, both the synchronization tool and the phone show the certificate with a yellow question mark, rather than a green check. It is one of the few certificates that I am not allowed to select in the Wi-Fi setup tool. My Blackberry OS is 4.2.2.169 (Platform 2.4.0.67). On the "Details" page of the certificate, it shows "Weak Cert Chain", and "Root Certificate". It also shows "Good on Sat, Apr 19, ..." and "Explicitly Trusted".

If someone could tell me if this is the same thing, I'd appreciate it.

[pilotmike]

Quote:

Originally Posted by mkp

I suspect I am experiencing a similar issue with an md2 certificate my university uses on its Wi-Fi network (PEAP/EAP-MS-CHAP v2). The certificate is "Secure Server Certification Authority, RSA Data Security, Inc., US", and should already be on most Windows computers. The SHA1 thumbprint starts "44 63 C5 31 ...".

Anyway, both the synchronization tool and the phone show the certificate with a yellow question mark, rather than a green check. It is one of the few certificates that I am not allowed to select in the Wi-Fi setup tool. My Blackberry OS is 4.2.2.169 (Platform 2.4.0.67). On the "Details" page of the certificate, it shows "Weak Cert Chain", and "Root Certificate". It also shows "Good on Sat, Apr 19, ..." and "Explicitly Trusted".

If someone could tell me if this is the same thing, I'd appreciate it.

The cert your university is using will always have a yellow question mark because it does not use strong certificate chaining (Root CA, Intermediary CA, etc). Despite that cert being good until 2010, VeriSign will not issue a new cert signed by that CA after sometime this year (and you have to specifically ask for it).

You are probably running into two issues in your setup. One, that cert is not an intermediary CA, so the BB will not let you select that cert in the Wi-Fi configuration for your SSID. Two, that cert does use the MD2 signature hashing algorithm which is not fixed until the 4.3/4.5 handheld software release which we have been waiting a very long time for.

We were initially told to expect the 4.3/4.5 software from the carriers in the March/April timeframe, but that was before RIM yanked some features out of that release at the last minute which caused some delays.

[pilotmike]

Just a quick update: Today I had the chance to test our corporate Wi-Fi connectivity on a T-Mobile 8120 running BB OS 4.3.0.115 and I can confirm that this issue with the older signature hashing on certificates has been resolved.

We are still waiting for the "official" 4.3/4.5 OS to be released for the older Wi-Fi enabled Berries.

It is amazing that we worked with RIM back in November on this issue and it has taken almost 6 months to finally be able to test the production fix.

[pilotmike]

RIM has updated the KB Article relating to this issue:

PEAP fails with Verisign CA certificates

[donald1x]

Wow, this exact problem has been bugging us for a bit now. As we deploy more and more wifi enabled blackberry (8820 and 8320) this is a request that I am starting to get regularly.

So far my solution is to let my users log on to the "guest" SSID that uses non PEAP logon, and give them year-long special users. not clean. So we are all rooting for the new OS.

[Ford12acing]

we use PEAP on my office, i installed the certificate on my bb, BUT when i go to configure for PEAP the certificate is not on the list (but if i go under options menu, the certificate is in fact on the phone)....anyway around this?

[mkp]

Quote:

Originally Posted by pilotmike

We are still waiting for the "official" 4.3/4.5 OS to be released for the older Wi-Fi enabled Berries.

This may be a bit offtopic, but do you know if all carriers release the OS at the same time, or if some carriers will release it before others? (I'm on AT&T.) I assume no one outside RIM knows yet when it'll be released, right? I'd still like to see if the root/intermediate thing is not a serious problem, since I can actually select one of two self-signed certs (not that it helps me connect, but it's a test), and both have a green check mark.

[pilotmike]

Quote:

Originally Posted by Ford12acing

we use PEAP on my office, i installed the certificate on my bb, BUT when i go to configure for PEAP the certificate is not on the list (but if i go under options menu, the certificate is in fact on the phone)....anyway around this?

What kind of cert is it? (Root, CA, Personal?) Right now under 4.2 you can only select CA Certs in the Wi-Fi PEAP Setup.

Check your CA certs under: Options --> Security Options --> Certificates. Then press the BlackBerry Menu key and select 'Show CA Certs'. I'm guessing the cert you need is not in that particular list. This should be fixed in 4.3 when it is released.

[pilotmike]

Quote:

Originally Posted by mkp

This may be a bit offtopic, but do you know if all carriers release the OS at the same time, or if some carriers will release it before others? (I'm on AT&T.) I assume no one outside RIM knows yet when it'll be released, right? I'd still like to see if the root/intermediate thing is not a serious problem, since I can actually select one of two self-signed certs (not that it helps me connect, but it's a test), and both have a green check mark.

I'm not really 100% sure how this all works and RIM would not really tell us when we were working with them on this issue. For this particular problem, RIM had the bug resolved way back in January. After RIM resolved the issue, it has to go to the carriers for their testing and customizations -- this can take 6 months plus, especially with the larger release jumps. (4.2 to 4.3) It is not, however, uncommon to see minor version difference across the various carriers. T-Mobile might release 4.2.2.188 and AT&T might release 4.2.2.192 but as far as a timeline amongst the carriers, I don’t know if RIM regulates that or if the carriers have some control.

The twist with OS 4.3/4.5 is that RIM yanked some features at the last minute which may have delayed this process or caused it to start over.

As a side note, we've recieved confirmation from our corporate T-Mobile Rep, that their internal BlackBerry folks are saying the Curve will not have a 4.3 release, but that the 4.5 code should be available sometime this "summer".

[Sith_Apprentice]

only the 8110/8120/8130/8330 devices will have 4.3. There will be 4.5 for everything 87xx and newer at some point.

[dasunst3r]

I have successfully associated my BlackBerry Curve 8320 (T-Mobile, version 4.2.2.180) to the 802.11bg wireless network at my university (more information: Public Internet Access - Overview). It uses 802.1x authentication too. I was initially unsuccessful using PEAP (default), but here are my settings that did work:

Code:

Security type: EAP-TTLS
Inner link security: MS-CHAP v2

When the network first rolled out, Linux users were instructed to use TTLS as the encryption method. That happened to work on Windows when I had to configure a few machines' ipw2200 and ipw3945 cards using Intel's utility. Try that and see if it works for you too. Good luck!

P.S. If you are in a big building with many access points, you should go back into the wireless profile and tick the box next to "Allow inter-access point handover"

[pilotmike]

Quote:

Originally Posted by dasunst3r

I have successfully associated my BlackBerry Curve 8320 (T-Mobile, version 4.2.2.180) to the 802.11bg wireless network at my university (more information: Public Internet Access - Overview). It uses 802.1x authentication too. I was initially unsuccessful using PEAP (default), but here are my settings that did work:

Code:

Security type: EAP-TTLS
Inner link security: MS-CHAP v2

Glad to hear that you were able to get yours to work; several others have as well. The specific issue we were running into was that in our 802.1X implementation there was a Verisign certificate in the cert chain that was signed with the MD2 signature hashing algorithm. If you are "lucky" enough to have one of these certs signed with MD2 in your implementation, that issue is not fixed until the 4.3/4.5 handheld software releases. (T-Mobile Corporate Rep telling us September is the latest target date now for 4.5 OS on the 8320).

If your university does not have a cert in the cert chain signed with an MD2 hashing algorithm, you should be good to go.

Dear RIM/T-Mobile,
We are still waiting for the official 4.5 OS.
Sincerely,
Your Customers.

[dasunst3r]

My network accepts either the "Thawte Premium Server CA" or the "Entrust.net Secure Server CA," if that rings any bells. The only thing I see with VeriSign is "VerSign WAP X509 Root."

[efi]

Hi,

does anyone know how to use a BB 8820 WiFi with an Apple Airport Extreme which is WPA2-protected? At the BB I only get WEP and PSK as options...

Many thanks & regards,

Efi

[John Clark]

The BB historically hasn't played well with the Apple Airport Extreme. I suggest updating your OS to the latest 4.5 OS that is available and see if it will work. WPA should be an option on all OS's though.