The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrick Oberli <patrick.oberli AT ost.ch>]

Thank you for your answers.

> Yes, Android allows you to specify "Use system certificates" as what to 
> validate against - so in that case, changing the root from one public CA to 
> another would still work.

> Patrick, did you have this set on your phone?
I did. But the interesting part is, the old one was not even from a public 
CA, but our own internal CA (which I have trusted on my mobile phone for 
testing). So I assume that is the reason why Android 11 silently accepted the 
new certificate. I hope I didn't overlook anything in my testing, it wasn't 
really scientifically done. 

But what I've learned so far, this is one area in Wi-Fi which is still after 
many years very complicated, not standardized (the behavior) and fairly 
badly/complicated documented. 

Regards,
Patrick


Freundliche Grüsse

ICT - IT-Infrastructure
Netzwerk- und Multimediateam
Patrick Oberli

Tel direkt: +41 58 257 4958
Email: patrick.oberli AT ost.ch

OST – Ostschweizer Fachhochschule
ICT Information & Communication Technology | Oberseestrasse 10 | 8640 
Rapperswil | Switzerland | https://www.ost.ch 

OST – Ostschweizer Fachhochschule ist der Zusammenschluss aus HSR Rapperswil, 
FHS St.Gallen und NTB Buchs.

-----Original Message-----
From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
On Behalf Of Vlad Mencl
Sent: Mittwoch, 18. August 2021 04:07
To: Martin Pauly <pauly AT hrz.uni-marburg.de>; cat-users AT lists.geant.org
Subject: Re: [[cat-users]] eduroam and certificates


Hi Martin,

Two comments on the behaviour of Android with respect to the certificate
validation:

On 18/08/21 04:47, Martin Pauly wrote:
> 
> 
> But if the new cert has been signed by the root cert your Android 
> already was set up to expect, everthing is fine. As long root cert and 
> server name do not change, the verification process is exactly the 
> same, and hence the result is the same.

Yes, Android allows you to specify "Use system certificates" as what to 
validate against - so in that case, changing the root from one public CA to 
another would still work.

Patrick, did you have this set on your phone?

[snip]

> Android as provided by Google (e.g. AOSP, Pixel phones) has adopted 
> this policy for WiFi 802.1X logon as a sort of default. The old, 
> really dangerous "Do not validate"
> setting is gone.
> The most liberal way to go is called "Use system defaults". This means:
>   - Accept any PKI whose root cert is in Android's JAVA certs store 
> (Android equivalent of /etc/ssl/certs).
> Since the supplicant still has no clue as to the servername to expect, it 
> accepts anything. 

This it not really true.  On Android 11, it asks you for "domain name" 
to check for in the certificate - and specifying one is mandatory.

The domain name entered has to either exactly match a name in the 
certificate, or it can also be shortened to just the "domain name" of the 
certificate - I assume Android goes by the Public Suffix List to determine 
how many components of the name from the certificate to strip.

So the security is reasonably good - at the very least, an attacker would 
have to get a certificate issued with a name falling under the institution's 
domain.


Cheers,
Vlad



--
Vladimir Mencl
Senior Software Engineer

Research & Education
Advanced Network NZ Ltd

M +64 21 997352
E  vladimir.mencl AT reannz.co.nz
www.reannz.co.nz
To unsubscribe, send this message: 
mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users