An open discussion list for topics related to the geteduroam service

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Hi,

a long time ago, I  ad written:
> > > I have a BQ Auqaris X Pro running Lineage 17.1 I removed eduroam
> > > and our second SSID umrnet_staff from the WiFi settings. I called
> > > geteduroam, entered the data and got the success message.
> > >
> > > A look at the WiFi settings showed that the root cert is
> > > available (probably installed by CAT before), but the setting
> > > still says "Please Select". Sounds dangerous to me, what can we
> > > do about it ?

Paul Dekkers replied:
> > I understand your concern; if you have just one intermediate
> > certificate it is displayed properly. If you have multiple, like
> > with the TCS service popular in our community, it is not displayed
> > properly in the settings. Instead, the settings show a red warning
> > that you still need to pick one: but that's because the UI can't
> > handle. It's just a limitation of the UI, the certificates are
> > installed and used. So it's not insecure.
> >
> > To be extra sure, I verified; and it's indeed not just the API
> > returning "things are OK", but they are actually OK. I was unable
> > to get online with a certificate from the same CA but with a
> > different name, or one from other CA with the same name for that
> > matter.

First, sorry for the delays, seems like everyone is busy.
In the mean time, I got around to fire up a primitive
Rouge AP again, attacked myself, and was relieved to see no
success. So the supplicant at least seems to apply some default
cert check, presumably like what is done with "Default" or
"Use System Certificates".
But actually, this is not what we have Apps like eduroam CAT
or geteduroam for. All the cert-based use cases (i.e.
EAP-TLS, EAP-TTLS, PEAP, but not necessarily EAP-PWD)
include a pre-known cert for the network. So the client
_is_ in the position to pin the cert check to a unique
combination of Root Cert and Server name, hopefully valid
for at least a decade. At least in this basic case, with
no intermediate certs needed on the client, I would really
like to get this configured. Else, I can go and configure
manually.

I understand Android APIs are a big mess. The old eduroam
CAT app suffers from the same problem, BTW.

I haven't tried 1.0.17 yet as I could not see any related changes.
Any idea what to do about this?

Cheers, Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature