cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Andrea Delise <delise AT sissa.it>
- To: cat-users AT lists.geant.org, paul.dekkers AT surf.nl
- Subject: Re: [[cat-users]] Multiple CA - Android
- Date: Thu, 10 Dec 2020 12:16:12 +0100
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp.sissa.it 3D8CDEED
Hi, I performed some more tests.
To me it looks like that Android 9, on different devices, fails to accept certificates for a wifi il provided with multiple CA.
I looks a system problem, not a cat problem, but something that I think may be worth noting.
I tried installing the CA bundle:
- with eduroam cat
- with the app geteduroam (very nice - I have some questions about it, shall I ask them here or somewhere else?)
- installing manually the full bundle
The result to me stays the same: certificates from the first CA are recognized, from the second one are ignored...
I may have stumbled in some bizarre exception, but I'm raising the statistics on the case and they seem to confirm my hypothesis.
Best regards,
Andrea Delise
On 07/12/20 13:07, Paul Dekkers wrote:
Hi Andrea,
On 7 Dec 2020, at 12:03, Andrea Delise <delise AT sissa.it> wrote:Ok. It was mostly about reproducing things; I may just have a different
Hi Paul and Patrick, thanks for your replies.
On 07/12/20 09:04, Paul Dekkers wrote:
I had a hypothesis that the error showed up because of installing a privateI have managed to get a test wifi with the new certificate. The CA I was
CA; I see your current CA is from DigiCert: what are you planning to replace
it with? If that’s a self-signed CA, my hypothesis could still stand. If it’s
Sectigo instead of DigiCert, it could still be that my unlock pattern is
perceived stronger by Android than a pin-code (with a particular length:
related to the requirement for Exchange servers too).
adding to Digicert was Sectigo. But the testing device was kindly provided by
a colleague, so I couldn't perform many tests. And I couldn't play much with
its security configuration, sorry... The device (a Samsung A40) was using a
pattern lock, I tried to switch it to pin lock (I do not remember the pin
lenght).
I could get my hands on another Samsung Android device in a couple of days,
in case I'll let you know.
Android build on my S10, but I was unable to see the issues the last two
reports stumbled upon!
It is! It reads all institutions and profiles from eduroam CAT (it cachesI’m also very curious if on this particular device and profile theDo you refer to the Samsung lock problem, or to the multiple CA installation?
“geteduroam” App works for you. (The plan is to suggest geteduroam for
Android 8+ instead of the existing eduroam CAT app, and it may or may not
solve the problem: but that’s important to know.) We paid attention to, and
did test, multiple CAs. And it consumes the eduroam CAT profiles just fine.
Is the geteduroam app available for all eduroam institutions?
this, so there is a bit of a delay). So any profile in CAT should be usable
in geteduroam.
We thought there should not be an(other) eduroam App in the stores if it’s
not generic and for everyone to use. (There are already too many that target
just a few users or a single organization.) So you can just try geteduroam
and see how it works for you.
We test geteduroam with a few scenario’s and devices, and one of those
scenario’s is multiple CAs. FWIW; there is also a scenario where geteduroam
creates an eduroam-specific (pseudo) account for you, but that’s not the way
the majority of the users will (currently) use it.
For the multiple CA, that is my main concern now, my fear is that CAT installsI can’t answer that myself, but from what I’ve seen many do a “hard
the correct CA file with both CA, but some Android devices refuse to look
further the first CA in the file. My main question remains: what are the
community statistics about installation and usage of multiple CA on android <
10? Am I the unlucky guy?
rollover”, or tell their Android users about possible issues. Or say “from
day X the profiles from CAT use the new certificates”.
I read the documentation more carefully, and it says:Oh. I did not check, I assumed by what people wrote here. In that case, it
Android 7.1 finally got its support for multiple trust roots; the eduroamCAT
app will support that in a future update.
may not be in eduroam CAT - but it for sure is in geteduroam.
What is the current state of the app? Is it supported? To my tests it looksWhich is funny, because the eduroam CAT app uses APIs that are officially
working, but only for Android >=10...
deprecated from >=10 ;-)
The current plan is to suggest from the eduroam CAT pages to use the
geteduroam App on Android 8+, since geteduroam doesn’t do anything below. The
geteduroam Apps do receive more development and updates, so in case we see
problems we may be able to fix that in the future. (In particular on Android
11 up, we need an entirely new way of configuring networks via the API/SDK
than what is done in the current eduroam CAT App.)
Paul
To unsubscribe, send this message:
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
--
______________________________________________
Andrea Delise
tel: +39-040-3787537 e-mail: delise AT sissa.it
SISSA Information Technology and Computing Services http://www.itcs.sissa.it
via Bonomea 265 - I 34136 Trieste - Italy
- [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
- RE: [[cat-users]] Multiple CA - Android, Patrick Oberli, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/11/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
Archive powered by MHonArc 2.6.19.