The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paqui Esther <paqui.esther AT mfo.ac.uk>]

Hello,

For the CA, I for one see the LetsEnrypt root (ISRG Root X1) with mobile data but with Eduroam I see the Gateway CA - Cloudflare Managed G2 as you can see in the screenshot.

Best Regards,

Paqui

-----------------------

Paqui ESTHER

Computer Science student in Internship in Oxford

paqui.esther AT mfo.ac.uk

---

From: Stefan Winter <stefan.winter AT restena.lu>
Sent: 07 May 2025 13:18
To: Janos Mohacsi <mohacsi.janos AT pro-m.hu>; Paqui Esther <paqui.esther AT mfo.ac.uk>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Issue accessing a website via Eduroam (SSL certificate not recognized)

 

Hello,

while it's true that this issue is unrelated to eduroam authentication per se (i.e. you get onto the network, so the roaming consortium's job is done), it would be quite concerning to have an SP that actually tries to break TLS encryption of user traffic.

If you can: can you make a screenshot of the certificate details in your browser - so that we can see which CA issued the certificate when you visit from within eduroam, vs. the certificate and CA that one would expect to see normally? I for one see the LetsEnrypt root (ISRG Root X1).

(Sth like: click the button left of the URL, then on "Connection is NOT secure", and then on the menu item showing the certificate)

Greetings,

Stefan Winter

On 07.05.25 13:56, Janos Mohacsi (via cat-users Mailing List) wrote:

Dear Paqui,

    This SSL error should not be related to eduroam. Eduroam just providing secure network access. Your error might related to a local WiFi/firewall/proxy settings where you try to use eduroam and access the website or might cause of your VPN setup.

According to compliance statement B.9 of eduroam     (

https://eduroam.org/wp-content/uploads/2023/10/eduroam_Compliance_Statement_v2-FINAL.pdf) the mangling of packets should be avoided.

"B.9. eduroam SPs are based on SP local policies. However, modifying the content of user connections
(e.g., access lists or firewall filter rules to deny arbitrary ports or application-layer proxies) is strongly
discouraged and MUST be reported to the respective RO"

Try asking the operator (Service Provider) of local eduroam network about their local network access policies and ask them to help resolving the SSL certificate issue.

Best Regards,

            Janos

On 2025. 05. 07. 12:24, Paqui Esther wrote:

Hello,

I am writing to report an issue when trying to access the following website while connected to the Eduroam network:

https://www.fondation-mfo.org 

When using Eduroam, the browser displays the following SSL error:

“This server could not prove that it is www.fondation-mfo.org; its security certificate is not trusted by your computer’s operating system.”

After several checks:

• The SSL certificate (Let’s Encrypt) is correctly installed and fully valid when tested on other networks (mobile data, etc.).
• The site passes all tests on SSL Labs
• The error disappears when not connected to Eduroam.
  
  

It therefore seems that the issue may be related to SSL inspection or filtering on the Eduroam network, which prevents the certificate from being recognized correctly.

Would it be possible to check whether this domain is being blocked or misinterpreted in your Eduroam configuration, and if so, to whitelist it?

Please let me know if you need any further information.

Thank you very much in advance for your help.

Best regards,

Paqui

-----------------------

Paqui ESTHER

Computer Science student in Internship in Oxford

paqui.esther AT mfo.ac.uk

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Janos Mohacsi
Head of International R&I, Research and Educational Division, T&I service owner
GÉANT activity coordinator in Hungary, member of GÉANT Board of Directors

Pro-M
Pro-M Professional Mobile and Networking Service Provider
address: 1134 Budapest, Váci út 35.
mobile: +36 30 555 7599   e-mail: mohacsi.janos AT pro-m.hu

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 
This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, place de l'Université
L-4365 Esch-sur-Alzette

Attachment: Screenshot 2025-05-07 at 15.38.08.png
Description: Screenshot 2025-05-07 at 15.38.08.png

Attachment: Screenshot 2025-05-07 at 15.36.12.png
Description: Screenshot 2025-05-07 at 15.36.12.png