The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>]

All, 

 

This is being handled off-list through NRO processes. 

 

Kind regards

 

Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc

 

email/teams: stefan.paetow AT jisc.ac.uk

gpg: 0x3FCE5142

 

For eduroam support, please contact the eduroam team via help AT jisc.ac.uk and mark it for eduroam’s attention.

On Mondays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

 

Note: I don’t expect a reply outside of your working hours, since I work internationally with colleagues in different nationalities with different religions, customs, and holidays. Reply when it is convenient for you.

 

Jisc is a registered charity (in England and Wales under charity number 1149740; in Scotland under charity number SC053607) and a company limited by guarantee registered in England under company number 05747339, VAT number GB 197 0632 86. Jisc's registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

 

For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

 

 

From: <cat-users-request AT lists.geant.org> on behalf of Paqui Esther <paqui.esther AT mfo.ac.uk>
Reply to: Paqui Esther <paqui.esther AT mfo.ac.uk>
Date: Wednesday, 7 May 2025 at 15:44
To: Stefan Winter <stefan.winter AT restena.lu>, Janos Mohacsi <mohacsi.janos AT pro-m.hu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Issue accessing a website via Eduroam (SSL certificate not recognized)

 

You don't often get email from paqui.esther AT mfo.ac.uk. Learn why this is important

Hello,

 

 

For the CA, I for one see the LetsEnrypt root (ISRG Root X1) with mobile data but with Eduroam I see the Gateway CA - Cloudflare Managed G2 as you can see in the screenshot.

 

Best Regards,

Paqui

-----------------------

Paqui ESTHER

Computer Science student in Internship in Oxford

paqui.esther AT mfo.ac.uk

---

From: Stefan Winter <stefan.winter AT restena.lu>
Sent: 07 May 2025 13:18
To: Janos Mohacsi <mohacsi.janos AT pro-m.hu>; Paqui Esther <paqui.esther AT mfo.ac.uk>; cat-users AT lists.geant.org <cat-users AT lists.geant.org>
Subject: Re: [[cat-users]] Issue accessing a website via Eduroam (SSL certificate not recognized)

 

Hello,

 

while it's true that this issue is unrelated to eduroam authentication per se (i.e. you get onto the network, so the roaming consortium's job is done), it would be quite concerning to have an SP that actually tries to break TLS encryption of user traffic.

 

If you can: can you make a screenshot of the certificate details in your browser - so that we can see which CA issued the certificate when you visit from within eduroam, vs. the certificate and CA that one would expect to see normally? I for one see the LetsEnrypt root (ISRG Root X1).

 

(Sth like: click the button left of the URL, then on "Connection is NOT secure", and then on the menu item showing the certificate)

 

Greetings,

 

Stefan Winter

 

On 07.05.25 13:56, Janos Mohacsi (via cat-users Mailing List) wrote:

Dear Paqui,

    This SSL error should not be related to eduroam. Eduroam just providing secure network access. Your error might related to a local WiFi/firewall/proxy settings where you try to use eduroam and access the website or might cause of your VPN setup.

 

According to compliance statement B.9 of eduroam     (

https://eduroam.org/wp-content/uploads/2023/10/eduroam_Compliance_Statement_v2-FINAL.pdf) the mangling of packets should be avoided.

 

"B.9. eduroam SPs are based on SP local policies. However, modifying the content of user connections
(e.g., access lists or firewall filter rules to deny arbitrary ports or application-layer proxies) is strongly
discouraged and MUST be reported to the respective RO"

 

Try asking the operator (Service Provider) of local eduroam network about their local network access policies and ask them to help resolving the SSL certificate issue.

 

Best Regards,

            Janos

 

On 2025. 05. 07. 12:24, Paqui Esther wrote:

Hello,

I am writing to report an issue when trying to access the following website while connected to the Eduroam network:

https://www.fondation-mfo.org 

When using Eduroam, the browser displays the following SSL error:

“This server could not prove that it is www.fondation-mfo.org; its security certificate is not trusted by your computer’s operating system.”

After several checks:

• The SSL certificate (Let’s Encrypt) is correctly installed and fully valid when tested on other networks (mobile data, etc.).

• The site passes all tests on SSL Labs

• The error disappears when not connected to Eduroam.

It therefore seems that the issue may be related to SSL inspection or filtering on the Eduroam network, which prevents the certificate from being recognized correctly.

Would it be possible to check whether this domain is being blocked or misinterpreted in your Eduroam configuration, and if so, to whitelist it?

Please let me know if you need any further information.

Thank you very much in advance for your help.

Best regards,

Paqui

-----------------------

Paqui ESTHER

Computer Science student in Internship in Oxford

paqui.esther AT mfo.ac.uk

 

 

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

--

Janos Mohacsi
Head of International R&I, Research and Educational Division, T&I service owner
GÉANT activity coordinator in Hungary, member of GÉANT Board of Directors

Pro-M
Pro-M Professional Mobile and Networking Service Provider
address: 1134 Budapest, Váci út 35.
mobile: +36 30 555 7599   e-mail: mohacsi.janos AT pro-m.hu

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users

-- 

This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER

Chief Technology Officer

2, place de l'Université

L-4365 Esch-sur-Alzette

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users