Skip to Content.

geteduroam - Re: geteduroam odd behaviour on Android 10?

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: geteduroam odd behaviour on Android 10?

Chronological Thread 
  • From: Stefan Paetow <Stefan.Paetow AT>
  • To: "geteduroam AT" <geteduroam AT>
  • Subject: Re: geteduroam odd behaviour on Android 10?
  • Date: Tue, 8 Dec 2020 20:04:16 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8gEwRZ5CD8PHOMTuCoP4aq0qP71Ma0NYQQ0FXP26mGE=; b=Kfy0wUYEj/tCqV65YGG4IT2o3nEbUW7e43Chi/UU7YQOPwf2KRmOX3SNu49LI83gZZhVXhIH13Fgb1ap0nHqwrVXpSmKVLGWsXFRz9yPLTaYSwyYVBs4Al2g/F2uPPmQc+904QSyG0LAtKvtk3gRvEe0yxW1+V6vPTnDPQfpjQlJ5uq7ZP1kjJoNPYTcDtVYW624R+xYJXs6YekZuYzXjpGtVv1eQlL+fXNLrBMm0YDPLt8twEYqWjFt9ZFtdXwo0yQJjGjtclpaF2/eK3XCeOVJ762CPJpHy429e2IUHCFVL4qRAMnXRQFWJOPQJw+ms1f1UcOJaoP48YFW8o2qPw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=IZQFgpn1J7Zg6vPXVOevkvxxHTk+QCd1b5uzWrgYx5sD2swuZGdDxaf4CfA2f7/Q3EFK51bzV2DcUo84Usmsy195w/k6JAM66qdDTDiLVF5J4n6gMUZqYLprokM1bOufa9JNRaVFTMifOk3Pl69vTBt8zg97872t8sE3+PU/IsQUUEaeGK4a2MP+E6pHj0LcU/vEJBAiOPx/0QBWHsAc5MbiqvCBYUtZ4wZIkcThMLEZpul35JOP3BB6TQ9PIqMbtQh4pcU7qz5Q9rtDgf78LHmnTEYRYN5LgqMRWrtipB67xiqkzThDqA0tyV1kGBDt6LEcZLCsy/DhxR0pg5k9Cw==
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;

The entire chain is shipped with the EAP handshake (I know, not ideal), but
the ultimate root *should* suffice.

I refer to this part in the IdP guide (verbatim):

"For most EAP methods, the required EAP details are
The Certification Authority (CA) certificate(s) which signed your EAP server
always include the root CA (root CAs are indicated with a blue circled "R"
besides the certificate details after upload)
optionally include intermediate CAs (intermediate or server certificates are
indicated with a blue circled ("I") besides the certficate after upload)
The name of your server as specified in the Common Name (CN) of your EAP
server certificate"

I've done a check and yes, the CA root cert on the server and the CA root
cert on CAT match (as per Martin), and openssl verifies the chain ok:

[support:~] openssl verify -CAfile bspa-root.crt -untrusted bspa-interm.crt
bspa-srv.crt: OK

So no, it's not the chain, because actual authentications would have failed.

With Regards

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT
skype: stefan.paetow.janet

In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

On 08/12/2020, 15:39, "geteduroam-request AT on behalf of Paul
Dekkers" <geteduroam-request AT on behalf of
geteduroam AT> wrote:


Ah, in that case it looks like the intermediate certificate is missing?
This contains just the/a QuoVadis root.

Thanks for checking on the profile, I didn’t get to that yet,

(I doubt this profile works well in CAT?)


> On 8 Dec 2020, at 16:24, Martin Pauly <geteduroam AT>
> Am 08.12.20 um 16:07 schrieb Stefan Paetow (via geteduroam Mailing
>> The profile is correct. They use a root certificate.
> This one?
> ...
> --
> Dr. Martin Pauly Phone: +49-6421-28-23527
> HRZ Univ. Marburg Fax: +49-6421-28-26994
> Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
> D-35032 Marburg

Archive powered by MHonArc 2.6.19.

Top of Page