Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Martin Pauly <pauly AT hrz.uni-marburg.de>, "geteduroam AT lists.geant.org" <geteduroam AT lists.geant.org>
- Subject: Re: Cert setting not configured by geteduroam on Lineage Phone
- Date: Fri, 16 Apr 2021 16:57:22 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qPnMVZt1Zj2aegw1PyOO8y0px4Gpzb4F8IAsAyxkZy8=; b=Y7YtYjNPZXvf0i2dxqQjjf+8QVnlHb4SELeVPtQoTMpiJrxXEZSPl9yTseq2bbpnLrn1docmTwbkmVxXC/p9oPlnbIAJ+k/Y4pJ4/NedVD1r0flfA7lxVdX1YGJtNrr07FJewY56edED0yYkkSABzMI/1w7zDh92eJI5ie2lgXOLYUEAY2PeVwi2Y2UmbuC3/af8epPCByXTSBUhZH6X/VMPNfqf4Gci1mzSbDjoFDqOFdlajKK9l9+I6xmyaZ8k1FHhujhgjJcCgqe/4Tap24/8HHkQv1b3Hli1h9sGv1EnqGjsmYJZ4vpZSRvQeyQ6vDluKUFCVapXA0Qkqo24FQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OASvlW0nm7xqwUOFC2QHjCvA37EW+NoPAoJ20SyROI2e+hIvLWUdJA2C0TQ6H9tyBmdiTVRQix+7++o65yfs3KjKJ57QnLX4h+b/E1nO0qXbP0LM0QEXjPUt9ZA+Ujnplk6faKpbxK2pr6XES0biaWlwKZoecrgPUwxDWpqtPdXO5qUHWhkXk0OiH1mwZMDT9a1afF0GKVvbqnBukvutv12Vde/5ptl+sH7iY6f6QOrZTzq4zlzxgji3Ey++rupi/wKiL3ViHYkvPVDBzCT5i5IyCsHC+WTwJZZLPNNnnH30InaFOqGq7Qnx/ERPJyc27H2PwGtnIpw2OkxXKVSH8w==
- Authentication-results: hrz.uni-marburg.de; dkim=none (message not signed) header.d=none;hrz.uni-marburg.de; dmarc=none action=none header.from=surf.nl;
Hi,
Perhaps I don’t understand; but this is what we do, right? Also in 1.0.16 we pin the certificates to what is provided in CAT? So it ís secure?
We don’t use system certificates or just one or few generic CAs and hostnames, we take this from profiles in CAT, or from the pseudo/hosted account configuration of geteduroam.
Paul
(Sorry for not replying in line, using a stupid mail client.)
From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> on behalf of Martin Pauly <geteduroam AT lists.geant.org>
Sent: Friday, April 16, 2021 5:34 PM
To: geteduroam AT lists.geant.org
Subject: Re: Cert setting not configured by geteduroam on Lineage Phone
Sent: Friday, April 16, 2021 5:34 PM
To: geteduroam AT lists.geant.org
Subject: Re: Cert setting not configured by geteduroam on Lineage Phone
Hi,
a long time ago, I ad written:
>>> I have a BQ Auqaris X Pro running Lineage 17.1 I removed eduroam
>>> and our second SSID umrnet_staff from the WiFi settings. I called
>>> geteduroam, entered the data and got the success message.
>>>
>>> A look at the WiFi settings showed that the root cert is
>>> available (probably installed by CAT before), but the setting
>>> still says "Please Select". Sounds dangerous to me, what can we
>>> do about it ?
Paul Dekkers replied:
>> I understand your concern; if you have just one intermediate
>> certificate it is displayed properly. If you have multiple, like
>> with the TCS service popular in our community, it is not displayed
>> properly in the settings. Instead, the settings show a red warning
>> that you still need to pick one: but that's because the UI can't
>> handle. It's just a limitation of the UI, the certificates are
>> installed and used. So it's not insecure.
>>
>> To be extra sure, I verified; and it's indeed not just the API
>> returning "things are OK", but they are actually OK. I was unable
>> to get online with a certificate from the same CA but with a
>> different name, or one from other CA with the same name for that
>> matter.
First, sorry for the delays, seems like everyone is busy.
In the mean time, I got around to fire up a primitive
Rouge AP again, attacked myself, and was relieved to see no
success. So the supplicant at least seems to apply some default
cert check, presumably like what is done with "Default" or
"Use System Certificates".
But actually, this is not what we have Apps like eduroam CAT
or geteduroam for. All the cert-based use cases (i.e.
EAP-TLS, EAP-TTLS, PEAP, but not necessarily EAP-PWD)
include a pre-known cert for the network. So the client
_is_ in the position to pin the cert check to a unique
combination of Root Cert and Server name, hopefully valid
for at least a decade. At least in this basic case, with
no intermediate certs needed on the client, I would really
like to get this configured. Else, I can go and configure
manually.
I understand Android APIs are a big mess. The old eduroam
CAT app suffers from the same problem, BTW.
I haven't tried 1.0.17 yet as I could not see any related changes.
Any idea what to do about this?
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg
a long time ago, I ad written:
>>> I have a BQ Auqaris X Pro running Lineage 17.1 I removed eduroam
>>> and our second SSID umrnet_staff from the WiFi settings. I called
>>> geteduroam, entered the data and got the success message.
>>>
>>> A look at the WiFi settings showed that the root cert is
>>> available (probably installed by CAT before), but the setting
>>> still says "Please Select". Sounds dangerous to me, what can we
>>> do about it ?
Paul Dekkers replied:
>> I understand your concern; if you have just one intermediate
>> certificate it is displayed properly. If you have multiple, like
>> with the TCS service popular in our community, it is not displayed
>> properly in the settings. Instead, the settings show a red warning
>> that you still need to pick one: but that's because the UI can't
>> handle. It's just a limitation of the UI, the certificates are
>> installed and used. So it's not insecure.
>>
>> To be extra sure, I verified; and it's indeed not just the API
>> returning "things are OK", but they are actually OK. I was unable
>> to get online with a certificate from the same CA but with a
>> different name, or one from other CA with the same name for that
>> matter.
First, sorry for the delays, seems like everyone is busy.
In the mean time, I got around to fire up a primitive
Rouge AP again, attacked myself, and was relieved to see no
success. So the supplicant at least seems to apply some default
cert check, presumably like what is done with "Default" or
"Use System Certificates".
But actually, this is not what we have Apps like eduroam CAT
or geteduroam for. All the cert-based use cases (i.e.
EAP-TLS, EAP-TTLS, PEAP, but not necessarily EAP-PWD)
include a pre-known cert for the network. So the client
_is_ in the position to pin the cert check to a unique
combination of Root Cert and Server name, hopefully valid
for at least a decade. At least in this basic case, with
no intermediate certs needed on the client, I would really
like to get this configured. Else, I can go and configure
manually.
I understand Android APIs are a big mess. The old eduroam
CAT app suffers from the same problem, BTW.
I haven't tried 1.0.17 yet as I could not see any related changes.
Any idea what to do about this?
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg
- Re: Cert setting not configured by geteduroam on Lineage Phone, Martin Pauly, 04/16/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Paul Dekkers, 04/16/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Martin Pauly, 04/17/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Jørn Åne de Jong, 04/18/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Martin Pauly, 04/18/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Jørn Åne de Jong, 04/18/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Martin Pauly, 04/17/2021
- Re: Cert setting not configured by geteduroam on Lineage Phone, Paul Dekkers, 04/16/2021
Archive powered by MHonArc 2.6.19.