Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Multiple CA - Android

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Multiple CA - Android


Chronological Thread 
  • From: Andrea Delise <delise AT sissa.it>
  • To: Paul Dekkers <paul.dekkers AT surf.nl>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Multiple CA - Android
  • Date: Fri, 11 Dec 2020 09:32:01 +0100
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp.sissa.it 890A31652

My apologies!

...there was a bug in my testing platform (you should always check with nagios the testing servers too :-( ...)

geteduroam DOES work perfectly!

Sorry for the hassle and thank you for your support!

Best regards,

Andrea Delise

On 10/12/20 12:59, Paul Dekkers wrote:
Hi,

On 10 Dec 2020, at 12:16, Andrea Delise <delise AT sissa.it> wrote:

Hi, I performed some more tests.

To me it looks like that Android 9, on different devices, fails to accept certificates for a wifi il provided with multiple CA.

I looks a system problem, not a cat problem, but something that I think may be worth noting.

I tried installing the CA bundle:
- with eduroam cat

I understand meanwhile that this isn’t possible in the “old” eduroam CAT App, it accepts only one CA.

- with the app geteduroam (very nice - I have some questions about it, shall I ask them here or somewhere else?)

It should indeed work with geteduroam. We did test it and it did work.

I just ran an attempt for SISSA through the debugger on an Samsung S10 (Android 10), and I see all 5 certificates being installed (2 from Digicert TCS, 3 from Sectigo TCS), no warnings whatsoever that they could not be installed on the 2 SSIDs you include. I can’t test the connection for real of course as I have no credentials, but the installation via the Android API worked fine.

Both server certificates are with CN janus.sissa.it right?

(BTW, if you enabled "Verify user input to contain realm suffix:” and you indeed only have @sissa.it as your realm, you can also tick "Prefill user input with realm suffix:” - in that case you don’t even have to enter the realm in geteduroam it will autocomplete.)

About geteduroam feedback: There is a dedicated list for geteduroam (https://lists.geant.org/sympa/info/geteduroam) but since we also plan to suggest the App from CAT from Android 8+ on, it may also be relevant for others on this list. So, I don’t know ;-) and it may depend on the questions: perhaps the geteduroam list is a good place.

- installing manually the full bundle

The result to me stays the same: certificates from the first CA are recognized, from the second one are ignored...

I may have stumbled in some bizarre exception, but I'm raising the statistics on the case and they seem to confirm my hypothesis.

It would be a bit sad if it worked on all the devices we check (Samsung S7, S10, Huawei, Xiaomi, Pixel 5) but not on some others or other OEM builds… but the Android ecosystem is so diverse, I believe even our App being Android 8+ can work on 7000 different device-types :-|

Either way I didn’t actually test it now, but we did in the past, and it used to work. I will try it in few weeks, I planned a rollover myself during vacation time ;-) and that’s not so far away.

Regards,
Paul


Best regards,

Andrea Delise

On 07/12/20 13:07, Paul Dekkers wrote:
Hi Andrea,

On 7 Dec 2020, at 12:03, Andrea Delise <delise AT sissa.it> wrote:

Hi Paul and Patrick, thanks for your replies.
On 07/12/20 09:04, Paul Dekkers wrote:

I had a hypothesis that the error showed up because of installing a private CA; I see your current CA is from DigiCert: what are you planning to replace it with? If that’s a self-signed CA, my hypothesis could still stand. If it’s Sectigo instead of DigiCert, it could still be that my unlock pattern is perceived stronger by Android than a pin-code (with a particular length: related to the requirement for Exchange servers too).
I have managed to get a test wifi with the new certificate. The CA I was adding to Digicert was Sectigo. But the testing device was kindly provided by a colleague, so I couldn't perform many tests. And I couldn't play much with its security configuration, sorry...  The device (a Samsung A40) was using a pattern lock, I tried to switch it to pin lock (I do not remember the pin lenght).

I could get my hands on another Samsung Android device in a couple of days, in case I'll let you know.
Ok. It was mostly about reproducing things; I may just have a different Android build on my S10, but I was unable to see the issues the last two reports stumbled upon!

I’m also very curious if on this particular device and profile the “geteduroam” App works for you. (The plan is to suggest geteduroam for Android 8+ instead of the existing eduroam CAT app, and it may or may not solve the problem: but that’s important to know.) We paid attention to, and did test, multiple CAs. And it consumes the eduroam CAT profiles just fine.
Do you refer to the Samsung lock problem, or to the multiple CA installation? Is the geteduroam app available for all eduroam institutions?
It is! It reads all institutions and profiles from eduroam CAT (it caches this, so there is a bit of a delay). So any profile in CAT should be usable in geteduroam.

We thought there should not be an(other) eduroam App in the stores if it’s not generic and for everyone to use. (There are already too many that target just a few users or a single organization.) So you can just try geteduroam and see how it works for you.

We test geteduroam with a few scenario’s and devices, and one of those scenario’s is multiple CAs. FWIW; there is also a scenario where geteduroam creates an eduroam-specific (pseudo) account for you, but that’s not the way the majority of the users will (currently) use it.

For the multiple CA, that is my main concern now, my fear is that CAT installs the correct CA file with both CA, but some Android devices refuse to look further the first CA in the file. My main question remains: what are the community statistics about installation and usage of multiple CA on android < 10? Am I the unlucky guy?
I can’t answer that myself, but from what I’ve seen many do a “hard rollover”, or tell their Android users about possible issues. Or say “from day X the profiles from CAT use the new certificates”.

I read the documentation more carefully, and it says:

Android 7.1 finally got its support for multiple trust roots; the eduroamCAT app will support that in a future update.
Oh. I did not check, I assumed by what people wrote here. In that case, it may not be in eduroam CAT - but it for sure is in geteduroam.

What is the current state of the app? Is it supported? To my tests it looks working, but only for Android >=10...
Which is funny, because the eduroam CAT app uses APIs that are officially deprecated from >=10 ;-)
The current plan is to suggest from the eduroam CAT pages to use the geteduroam App on Android 8+, since geteduroam doesn’t do anything below. The geteduroam Apps do receive more development and updates, so in case we see problems we may be able to fix that in the future. (In particular on Android 11 up, we need an entirely new way of configuring networks via the API/SDK than what is done in the current eduroam CAT App.)
Paul

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users


--
______________________________________________
Andrea Delise
tel: +39-040-3787537  e-mail: delise AT sissa.it SISSA Information Technology and Computing Services http://www.itcs.sissa.it via Bonomea 265 - I 34136 Trieste - Italy



-- 
______________________________________________
Andrea Delise
tel: +39-040-3787537  e-mail: delise AT sissa.it
SISSA Information Technology and Computing Services http://www.itcs.sissa.it 
via Bonomea 265 - I 34136 Trieste - Italy

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page