The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

this is now the second time in three months that someone reported an
issue with Chromebook CAT installers. Since we weren't able to conclude
what the exact problem was back in the day, and both of you share common
setup specialities, I'm cc'ing Ramon Visser in this thread again; maybe
there's something in it for both of you.

Both Ramon and David are using proper CA-signed certificates with a
correct intermediate chain, so one might think this should work :-)

However, both have Extended Validation certificates, one coming from
DigiCert and one from QuoVadis. Both do not work.

The counter-test was our own RESTENA certificates which are self-signed
and (obviously) not EV, and they did work. There are also thousands of
downloads for Chromebook, so the corresponding CAT modules are in
frequent use, and I haven't heard of massive problems. So this can't be
a programmatic mistake affecting everybody. There's a mix of commercial
CA roots and self-signed throughout the user base, so I don't think the
discriminating property is self-signedness.

This makes me believe that ChromeOS somehow does not trust EV
certificates in the context of Wi-Fi.

Which is rather stupid, as those are typically considered even /more/
valid than normal certs - but they are only defined as such for Web
Browser use cases, so an implementer might construct a strange argument
that they aren't valid/meant for Wi-Fi.

So - if any of you two could get hold of a non-EV certificate to test
this hypothesis, I would be most grateful.

Greetings,

Stefan Winter

Am 25.01.2018 um 17:30 schrieb Fergusson, David:
>  
> 
> Hi, we have recently updating our eduroam certificate. All our Windows
> and MAC client have be able to use the eduroam CAT tool to update their
> settings with no issue which is great.
> 
>  
> 
> However we have recently had an issue reported to us for Google
> Chromebooks. Unfortunately the CAT tool does not seem to be working on
> these devices (or importing the correct settings) onto the device. Also
> if you go through manually we cannot see the new root CA (QuoVadis Root
> VA 2 G3). Is this something Jisc or eduroam is aware of ? Is there a fix
> for this.
> 
>  
> 
> Any help would be much appreciated.
> 
>  
> 
> Kind Regards
> 
>  
> 
> * *
> 
> *Dave Fergusson
> Client Networks Lead*
> 
> *Information and Technology Services
> *2^nd Floor, Exchange Station, Tithebarn St, Liverpool, L3 2QP
> t: 0151 904 6503 m:07826 893 427
> 
> d.j.fergusson AT ljmu.ac.uk
>  
> <mailto:d.j.fergusson AT ljmu.ac.uk>
> 
> *JMU*
> 
>  
> 
> 
> ------------------------------------------------------------------------
> */Important Notice:///*///the information in this email and any
> attachments is for the sole use of the intended recipient(s). If you are
> not an intended recipient, or a person responsible for delivering it to
> an intended recipient, you should delete it from your system immediately
> without disclosing its contents elsewhere and advise the sender by
> returning the email or by telephoning a number contained in the body of
> the email. No responsibility is accepted for loss or damage arising from
> viruses or changes made to this message after it was sent. The views
> contained in this email are those of the author and not necessarily
> those of Liverpool John Moores University.///////////
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature