cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Vlad Mencl <vladimir.mencl AT reannz.co.nz>
- To: Martin Pauly <pauly AT hrz.uni-marburg.de>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] eduroam and certificates
- Date: Wed, 18 Aug 2021 14:07:21 +1200
Hi Martin,
Two comments on the behaviour of Android with respect to the certificate validation:
On 18/08/21 04:47, Martin Pauly wrote:
But if the new cert has been signed by the root cert your Android already was set up to expect,
everthing is fine. As long root cert and server name do not change,
the verification process is exactly the same, and hence the result is the same.
Yes, Android allows you to specify "Use system certificates" as what to validate against - so in that case, changing the root from one public CA to another would still work.
Patrick, did you have this set on your phone?
[snip]
Android as provided by Google (e.g. AOSP, Pixel phones) has adopted this policy for WiFi 802.1X
logon as a sort of default. The old, really dangerous "Do not validate" setting is gone.
The most liberal way to go is called "Use system defaults". This means:
- Accept any PKI whose root cert is in Android's JAVA certs store (Android equivalent of /etc/ssl/certs).
Since the supplicant still has no clue as to the servername to expect, it accepts anything.
This it not really true. On Android 11, it asks you for "domain name" to check for in the certificate - and specifying one is mandatory.
The domain name entered has to either exactly match a name in the certificate, or it can also be shortened to just the "domain name" of the certificate - I assume Android goes by the Public Suffix List to determine how many components of the name from the certificate to strip.
So the security is reasonably good - at the very least, an attacker would have to get a certificate issued with a name falling under the institution's domain.
Cheers,
Vlad
--
Vladimir Mencl
Senior Software Engineer
Research & Education
Advanced Network NZ Ltd
M +64 21 997352
E vladimir.mencl AT reannz.co.nz
www.reannz.co.nz
- [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Lukas Wringer, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Alan Buxey, 08/13/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/13/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Vlad Mencl, 08/18/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/18/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/17/2021
- RE: [[cat-users]] eduroam and certificates, Patrick Oberli, 08/17/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
- Re: [[cat-users]] eduroam and certificates, Jan-Frederik Rieckers, 08/14/2021
- Re: [[cat-users]] eduroam and certificates, Martin Pauly, 08/16/2021
Archive powered by MHonArc 2.6.19.