# eduroam Development VC Minutes 2022-04-26 1530 CEST

# Attendance

## Attendees
* Stefan Winter (Restena)
* Zenon Mousmoulas (GRNET)
* Arnaud Lauriou (RENATER)
* Maxime Houlbert (RENATER)
* Tomasz Wolniewicz (PSNC)
* Sara Jeanes (Internet2)
* Guy Halse (TENET)
* Louis Twomey (HEAnet)
* Maja Górecka-Wolniewicz (PSNC)
* Zbigniew Ołtuszyk (PSNC)
* Paul Dekkers (SURF)
* Mike Zawacki (Internet2)
* Chris Phillips (CANARIE)
* Philippe Hanset (ANYROAM)
* Stefan Paetow (Jisc)
* Edward Wincott (Jisc)

## Regrets

# Agenda / Proceedings

1. Welcome / Agenda Bashing

2. Recommendations for Wi-Fi 6E
   * now online! https://eduroam.org/eduroam-deployment-considerations-on-wi-fi-certified-6e/
   * Wi-Fi 6 and 6E are different things (6 = IEEE 802.11ax, which you can get on all frequency bands; 6E = IEEE 802.11ax on the 6 GHz band specifically)
   * please keep an ear on the ground for issues as they manifest

3. CAT code (CAT / Managed IdP / Managed SP)
   * one more translation round coming
   * A !=a is not the same hex number for some OSes
   * CAT produced capitals because one vendor requireD it
   * now the vendor switched, and CAT now produces capitals but the vendor switched to small letters instead -> CAT profiles don't connect
   * SW needs to get confirmation that small letters are now what the vendor wants; code to be changed in that case
   
4. openssl 3.0 and EAP-TLS client certs
   * openssl 1 uses by default an RC4- cipher to encrypt the private key with the password
   * openssl 3 refuses to decrypt this, because of "legacy"
   * when generating a client cert on openssl 1, use the "-descert" option
   * when decrypting a "legacy" client cert on openssl 3, use the "-legacy" option
   * no effect on-the-wire; private key is used "raw" there, post-decrypt. No change to cert size in EAP, no effect on MTU, etc.
  
5. openssl 3.0 and TLS versions / insecure renegotiation 
   * by default, no insecure renegotiations
   * these typically only occur in TLS 1.0 / 1.1
   * wpa_supplicant and NetworkManager will fail horribly in face of an EAP server needing this
   * strangely enough, wpa_supplicant is patched to exceptionally allow this and override the insecurity
   * It shouldn't be that way. Everyone should support TLS 1.2+ these days. 
   * NPS up until Windows Server 2016 seems to be hit by this by default (but has gone end of Mainstream Support this Jan!)  
   * Bug reports suggest some Aruba built-in EAP server does the same (no version info available)

6. What next on geteduroam.app / roadmap? (added by CP)

   * Questions on Mac support, wired 1X support. 
   * New version for Android in the works. ETA "later this year".
   * Mac support is difficult because APIs are less rich as the iOS ones. Can workaround this by installing a mobileconfig silently.
   * Fluctuations in the dev team, but going strong.
   * Sustainability? Reminder that this is in the Commons Conservancy; not just a hobby project. Also accepts donations ;-)

7. AOB / next VC: 05 July 2022 1530 CEST

  • No labels