cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: cat-users AT lists.geant.org
- Subject: [[cat-users]] ChromeOS device module: testers wanted
- Date: Fri, 4 Nov 2022 11:42:37 +0100
Hello,
the ONC spec was updated some time ago to offer server name checks with a more proper variant (altSubjectNameMatch - which checks for matching names in the subjectAltName:DNS property of the certificate; vs. the old SubjectMatch which looks for a sub-string match in the Subject of the certificate).
In CAT 2.0.x, we still used SubjectMatch; but didn't get around to implement the new SubjectAlternativeMatch in time for 2.1.0.
As a result, we are currently crafting ChromeOS ONC configurations which only pin the CA, but do nothing about server name checking. That is of course an undesirable state.
We just brought updated code online at https://cat-test.eduroam.org which generates ONC files with the new way of configuring server name checks. Given my own lack of a recent ChromeOS device, I have limited testing capabilities for the change.
Could someone with an interest in ChromeOS devices head over to the test site, download a ChromeOS installer from there, and see if it works as expected with current ChromeOS versions? That would be very much appreciated.
If we get positive signals that everything is alright with the new server name checks, we'd push the code change forward to the production site ASAP.
Greetings,
Stefan Winter
--
This email may contain information for limited distribution only, please
treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
- [[cat-users]] ChromeOS device module: testers wanted, Stefan Winter, 11/04/2022
Archive powered by MHonArc 2.6.19.