The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

while it's true that this issue is unrelated to eduroam authentication per se (i.e. you get onto the network, so the roaming consortium's job is done), it would be quite concerning to have an SP that actually tries to break TLS encryption of user traffic.

If you can: can you make a screenshot of the certificate details in your browser - so that we can see which CA issued the certificate when you visit from within eduroam, vs. the certificate and CA that one would expect to see normally? I for one see the LetsEnrypt root (ISRG Root X1).

(Sth like: click the button left of the URL, then on "Connection is NOT secure", and then on the menu item showing the certificate)

Greetings,

Stefan Winter

On 07.05.25 13:56, Janos Mohacsi (via cat-users Mailing List) wrote:

Dear Paqui,

    This SSL error should not be related to eduroam. Eduroam just providing secure network access. Your error might related to a local WiFi/firewall/proxy settings where you try to use eduroam and access the website or might cause of your VPN setup.

According to compliance statement B.9 of eduroam     (

https://eduroam.org/wp-content/uploads/2023/10/eduroam_Compliance_Statement_v2-FINAL.pdf) the mangling of packets should be avoided.

"B.9. eduroam SPs are based on SP local policies. However, modifying the content of user connections
(e.g., access lists or firewall filter rules to deny arbitrary ports or application-layer proxies) is strongly
discouraged and MUST be reported to the respective RO"

Try asking the operator (Service Provider) of local eduroam network about their local network access policies and ask them to help resolving the SSL certificate issue.

Best Regards,

            Janos

On 2025. 05. 07. 12:24, Paqui Esther wrote:

          Hello,
        
          I am writing to report an issue when trying to access the
          following website while connected to the Eduroam network:
        
          https://www.fondation-mfo.org 
        
          When using Eduroam, the browser displays the following SSL
          error:
        
          “This server could not prove that it is www.fondation-mfo.org;
            its security certificate is not trusted by your computer’s
            operating system.”
        
          After several checks:

              The SSL certificate (Let’s Encrypt) is correctly installed
              and fully valid when tested on other networks (mobile
              data, etc.).
          
          
            
              The site passes all tests on SSL Labs
          
          
            
              The error disappears when not connected to Eduroam.
              
            
          
        
        
          It therefore seems that the issue may be related to SSL
          inspection or filtering on the Eduroam network, which prevents
          the certificate from being recognized correctly.
        
          Would it be possible to check whether this domain is being
          blocked or misinterpreted in your Eduroam configuration, and
          if so, to whitelist it?
        
          Please let me know if you need any further information.
        
          Thank you very much in advance for your help.
        
          Best regards,
        
          Paqui
        
          -----------------------
        
          Paqui ESTHER
        
          Computer Science student in Internship in Oxford
        
          paqui.esther AT mfo.ac.uk
        
          
        
        
          
        
        
          
        
        To
          unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
          Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Janos Mohacsi
Head of International R&I, Research and Educational Division, T&I service owner
GÉANT activity coordinator in Hungary, member of GÉANT Board of Directors

Pro-M
Pro-M Professional Mobile and Networking Service Provider
address: 1134 Budapest, Váci út 35.
mobile: +36 30 555 7599   e-mail: mohacsi.janos AT pro-m.hu

      To
        unsubscribe, send this message:
        mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
        Or use the following link:
        https://lists.geant.org/sympa/sigrequest/cat-users
    
-- 
This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, place de l'Université
L-4365 Esch-sur-Alzette