The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Andrea Delise <delise AT sissa.it>]

Hi, I performed some more tests.

To me it looks like that Android 9, on different devices, fails to 
accept certificates for a wifi il provided with multiple CA.

I looks a system problem, not a cat problem, but something that I think 
may be worth noting.

I tried installing the CA bundle:
- with eduroam cat
- with the app geteduroam (very nice - I have some questions about it, 
shall I ask them here or somewhere else?)
- installing manually the full bundle

The result to me stays the same: certificates from the first CA are 
recognized, from the second one are ignored...

I may have stumbled in some bizarre exception, but I'm raising the 
statistics on the case and they seem to confirm my hypothesis.

Best regards,

Andrea Delise

On 07/12/20 13:07, Paul Dekkers wrote:
> Hi Andrea,
>
> > On 7 Dec 2020, at 12:03, Andrea Delise <delise AT sissa.it> wrote:
> >
> > Hi Paul and Patrick, thanks for your replies.
> >
> > On 07/12/20 09:04, Paul Dekkers wrote:
> >
> > > I had a hypothesis that the error showed up because of installing a private 
> > > CA; I see your current CA is from DigiCert: what are you planning to replace 
> > > it with? If that’s a self-signed CA, my hypothesis could still stand. If it’s 
> > > Sectigo instead of DigiCert, it could still be that my unlock pattern is 
> > > perceived stronger by Android than a pin-code (with a particular length: 
> > > related to the requirement for Exchange servers too).
> > I have managed to get a test wifi with the new certificate. The CA I was 
> > adding to Digicert was Sectigo. But the testing device was kindly provided by 
> > a colleague, so I couldn't perform many tests. And I couldn't play much with 
> > its security configuration, sorry...  The device (a Samsung A40) was using a 
> > pattern lock, I tried to switch it to pin lock (I do not remember the pin 
> > lenght).
> >
> > I could get my hands on another Samsung Android device in a couple of days, 
> > in case I'll let you know.
> Ok. It was mostly about reproducing things; I may just have a different 
> Android build on my S10, but I was unable to see the issues the last two 
> reports stumbled upon!
>
> > > I’m also very curious if on this particular device and profile the 
> > > “geteduroam” App works for you. (The plan is to suggest geteduroam for 
> > > Android 8+ instead of the existing eduroam CAT app, and it may or may not 
> > > solve the problem: but that’s important to know.) We paid attention to, and 
> > > did test, multiple CAs. And it consumes the eduroam CAT profiles just fine.
> > Do you refer to the Samsung lock problem, or to the multiple CA installation? 
> > Is the geteduroam app available for all eduroam institutions?
> It is! It reads all institutions and profiles from eduroam CAT (it caches 
> this, so there is a bit of a delay). So any profile in CAT should be usable 
> in geteduroam.
>
> We thought there should not be an(other) eduroam App in the stores if it’s 
> not generic and for everyone to use. (There are already too many that target 
> just a few users or a single organization.) So you can just try geteduroam 
> and see how it works for you.
>
> We test geteduroam with a few scenario’s and devices, and one of those 
> scenario’s is multiple CAs. FWIW; there is also a scenario where geteduroam 
> creates an eduroam-specific (pseudo) account for you, but that’s not the way 
> the majority of the users will (currently) use it.
>
> > For the multiple CA, that is my main concern now, my fear is that CAT installs 
> > the correct CA file with both CA, but some Android devices refuse to look 
> > further the first CA in the file. My main question remains: what are the 
> > community statistics about installation and usage of multiple CA on android < 
> > 10? Am I the unlucky guy?
> I can’t answer that myself, but from what I’ve seen many do a “hard 
> rollover”, or tell their Android users about possible issues. Or say “from 
> day X the profiles from CAT use the new certificates”.
>
> > I read the documentation more carefully, and it says:
> >
> > Android 7.1 finally got its support for multiple trust roots; the eduroamCAT 
> > app will support that in a future update.
> Oh. I did not check, I assumed by what people wrote here. In that case, it 
> may not be in eduroam CAT - but it for sure is in geteduroam.
>
> > What is the current state of the app? Is it supported? To my tests it looks 
> > working, but only for Android >=10...
> Which is funny, because the eduroam CAT app uses APIs that are officially 
> deprecated from >=10 ;-)
>
> The current plan is to suggest from the eduroam CAT pages to use the 
> geteduroam App on Android 8+, since geteduroam doesn’t do anything below. The 
> geteduroam Apps do receive more development and updates, so in case we see 
> problems we may be able to fix that in the future. (In particular on Android 
> 11 up, we need an entirely new way of configuring networks via the API/SDK 
> than what is done in the current eduroam CAT App.)
>
> Paul
>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users


--
______________________________________________
Andrea Delise
tel: +39-040-3787537  e-mail: delise AT sissa.it
SISSA Information Technology and Computing Services http://www.itcs.sissa.it
via Bonomea 265 - I 34136 Trieste - Italy