The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,


the ONC spec was updated some time ago to offer server name checks with 
a more proper variant (altSubjectNameMatch - which checks for matching 
names in the subjectAltName:DNS property of the certificate; vs. the old 
SubjectMatch which looks for a sub-string match in the Subject of the 
certificate).


In CAT 2.0.x, we still used SubjectMatch; but didn't get around to 
implement the new SubjectAlternativeMatch in time for 2.1.0.


As a result, we are currently crafting ChromeOS ONC configurations which 
only pin the CA, but do nothing about server name checking. That is of 
course an undesirable state.


We just brought updated code online at https://cat-test.eduroam.org 
which generates ONC files with the new way of configuring server name 
checks. Given my own lack of a recent ChromeOS device, I have limited 
testing capabilities for the change.


Could someone with an interest in ChromeOS devices head over to the test 
site, download a ChromeOS installer from there, and see if it works as 
expected with current ChromeOS versions? That would be very much 
appreciated.


If we get positive signals that everything is alright with the new 
server name checks, we'd push the code change forward to the production 
site ASAP.


Greetings,


Stefan Winter


--
This email may contain information for limited distribution only, please 
treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette