The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[<nicolas.velazquez AT uam.es>]

Hi Stefan,

 

Thanks for your answer.

 

We have been using eduroamCAT for years.

And this certificate change is not the first we do. All previous certificate changes, at least on Android, were made with eduroamCAT.

 

The question arises because our colleagues who directly serve end users, told us that they have problems with older versions of Android now. Some older versions of Android show problems and need workarounds by hand to work well, although they are using eduroamCAT profiles as the first and main method for updating profiles for all platforms.

 

So, I seemed to remember that older Android versions did not support any other check of secure connection than having the certificate of the machine itself.

And I don't know why, I seemed to remember that the feature of using ONLY the CN, and not needing the complete certificate, was a very new option in Android.

 

But, as you said, I am wrong.

 

Most likely, Android, its different versions, and the different flavors that each manufacturer make for each model, are the true cause of these problems.

 

Thanks and regards,

 

Nicolás Velázquez Campoy

Unidad Técnica de Comunicaciones
Tecnologías de la Información
Universidad Autónoma de Madrid • Campus de Cantoblanco
c/ Fco Tomás y Valiente nº 11. Edificio B EPS, despacho TI-205 - 28049, Madrid
Tel.: 914973321 – nicolas.velazquez AT uam.es - www.uam.es

 

De: Stefan Winter <stefan.winter AT restena.lu>
Enviado el: martes, 4 de mayo de 2021 17:00
Para: nicolas.velazquez AT uam.es; cat-users AT lists.geant.org
Asunto: Re: [[cat-users]] Android versions. CN vs entire certificate

 

Hello,

 

you are asking an Android archaeology question. I can only give you a partial answer.

 

We started supporting Android with eduroam CAT only by the time Android 4.3 was released. The reason is that only that version's API level allowed to configure the tuple of (CA; expected server name) and thus was the first version that could do EAP server validation "properly".

 

I don't know how things were before that. We only started caring about Android with 4.3, and the eduroamCAT app is not even installable on older versions.

 

But then, Android 4.3 is way older than 4 years (something like 2013, 9 years ago!).

 

Maybe this other way you are talking about lived side-by-side for a while, and has been finally obsoleted an unknown time ago. But then you were not using anything CAT offers to achieve onboarding with that other way of certificate pinning?

 

IMHO, the more interesting question is: why do you ask? CA+server name is much more flexible and "proper PKI" compared to pinning a single certificate. Do you need to support Android versions <4.3? If you don't, and care only about 4.3+, the advice would be to instruct users to use the "eduroamCAT" Android app and use that for configuring eduroam. The app will then install the root CA and expected server name, and things should work.

 

Greetings,

 

Stefan Winter

 

Am 04.05.21 um 12:14 schrieb nicolas.velazquez AT uam.es:

Hello all,

 

We have changed our eduroamCAT profiles due to the expiration of the machine certificate of our radius recently.

 

The last time before we carried out this process, four years ago, on Android, it was necessary for the mobile phones to incorporate the machine certificate.

 

Now, it is enough that the devices that want to connect contain only the certificate of the root authority and the name expected in the CN and SAN fields.

 

The question is the following: in which Android version did this change occur?

 

We have problems with old Android phones.

We suspect that the new profile I described above, only CN and not machine certificate itself, does not work well for them.

Is it right?

We want to know the Android version that started this new conf.

 

Thank you very much in advance,

 

Nicolás Velázquez Campoy

Unidad Técnica de Comunicaciones
Tecnologías de la Información
Universidad Autónoma de Madrid • Campus de Cantoblanco
c/ Fco Tomás y Valiente nº 11. Edificio B EPS, despacho TI-205 - 28049, Madrid
Tel.: 914973321 – nicolas.velazquez AT uam.es - www.uam.es

 

 

Libre de virus. www.avg.com

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users