The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

I have checked the Sapienza trust root and chain building.

They are indeed still using a TCS Gen 2 cert - issued pretty much "last
minute" in May 2015 and in principle valid until Jun 2 2018.

However, TCS Gen 2 was based on SHA-1 intermediate CAs.

Many OSes these days refuse to consider SHA-1 signed certificates
trusted. That is most likely the reason for this problem.

The current iteration of TCS, running on DigiCert roots which have
SHA-256 all the way through, is heavily recommended over anything SHA-1.

Cristiano, the best thing you can do to solve this problem *thoroughly*
is to show this mail to your IT department and make them

a) get a contemporary server certificate
b) update their trust root settings in eduroam CAT

so that you can afterwards download an updated config - which then works :-)

Since you configured Android manually, no verification at all is done on
any of the certificates, so you did not get a complaint by Android OS.
But that means your authentication to eduroam networks with your Android
is COMPLETELY insecure. Once Sapienza has updated their CAT settings,
you should rather use the eduroam CAT Android App.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature