Software-Security on Dag's home

Eduroam on Linux: how to connect to Eduroam and update crypto policy on Ubuntu

dag7+ifyourenotallmpleaseremovethis@protonmail.com (Dag) — Fri, 20 Feb 2026 17:56:00 +0100

September 2019. First day at University, I was a freshman.

After attending the first hour lesson (it was either algorithm or digital system), I’ve started to play my favorite game: discovering Wi-Fi networks around me “just for fun”.

It’s been my favorite hobby since around 2008, when I used to play with old Nintendo/Sony consoles. At the time, Wi-Fi wasn’t spread anywhere like now: many access points were (still) secured by WEP, some by WPA and others were… unprotected!

Going back to our story: other than discovering the so-called “meme networks” like “Marco is beautiful, let’s meet outside”, “Not a Wifi Connection”, “Crack me”, or even “5G Antenna”, for a certain time it used to remember me when AirTag became popular to exchange prank messages,

In particular, two networks came to my attention:

<local university network> - free wifi
eduroam - secured

From the official Eduroam website , this project aims to connect other universities around the world in order to create an ubiquitous internet access, provided that you are successfully signed to your University. There’s also an official link to see where Eduroam is available, with supported countries and locations

“Cool” - I thought - “I just need to connect to that Wifi Network, it asks for my identity but it doesn’t work”.

A quick research led to cat.eduroam.org the configuration assistant tool, required to connect to RADIUS server. It says “available for Windows, Linux and MacOS”. There also is an Android app call geteduroam.

On Windows the tool is decent, on Android too. Cannot say for MacOS because I don’t own a Mac.

What about Linux? Well, it turns out that CAT works as well on Linux but… it won’t. Why? That’s why we’re here, let’s break down the entire process.

When we open the python script, we’re greeted by a classic “username, password, repeat password”. We should hit save and be able to connect to Wi-Fi after input our university password.

Troubleshooting

The first thing I run is dmesg. Here’s the output:

feb 20 15:45:40 d wpa_supplicant[995]: wlan0: Associated with xx:xx:xx:xx:xx:xx
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
feb 20 15:45:40 d wpa_supplicant[995]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
feb 20 15:45:40 d wpa_supplicant[995]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-DISCONNECTED bssid=xx:xx:xx:xx:xx:xx reason=23
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=38 reason=AUTH_FAILED
feb 20 15:45:40 d wpa_supplicant[995]: BSSID xx:xx:xx:xx:xx:xx ignore list count incremented to 2, ignoring for 10 seconds

The relevant lines are

feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
feb 20 15:45:40 d wpa_supplicant[995]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol

The newer versions of Ubuntu (and Debian), uses newer version of TLS by default… TLS v1.0 is deprecated, so we are forced to use the latest TLS version.

Initial solution: update-crypto-policy

On Fedora there is a command called update-crypto-policy that allows to use TLSv1.0 by simply launching a command.

However, this is not available on Debian and Ubuntu. There is an old package in 2019, but even if you install it and try to setup this policy using that package it won’t work.

Therefore, even if you install the package, it won’t work, we must use another (dirty) trick.

What to do

The BEST thing to do, since TLS1.0 has been deprecated, is to update TLS version of the Access Point.

We have notified the head of the infrastructure of our university to let it be aware of this.

Meanwhile we have tried to figure out a fix.

According to NetworkManager Gitlab we can (temporary) fix this behavior by allowing TLSv1.0 tls-1-0-enable (0x20) set phase-1-auth-flags to 32 which in hex is 20.

Practical steps

Run Eduroam CAT for Linux. This is mandatory in order to generate the right config file.
sudo nano /etc/NetworkManager/system-connections/<your-connection-ssid-here>.nmconnection in our case, eduroam
under [802-1x] preamble, add phase1-auth-flags=32 as the latest line. Save!
restart both NetworkManager and wpa_supplicant
to connect to eduroam from now, run sudo nmcli --ask connection up eduroam . It will ask for your password: enter your password and enter
wait a while and… you’re connected!

NOTE: if you look at your wifi network indicator, something’s really wrong: it looks like you’re connected with each network, and connect / disconnect won’t work

Everytime you need to connect to eduroam, you need to perform the step 5

To disconnect, just connect to another network (using nmcli).

NOTE: Your NetworkManager will be not usable unless you manually disconnect from Eduroam

NOTE for Fedora users: since the command update-crypto-policies is available (on Debian it is not, even if you manually install it from an old version) you also need to launch sudo update-crypto-policies –set DEFAULT:SHA1

Unfortunately right now there’s no alternative than waiting (😴) for TLS update

That’s all folks!

Let’s hope our university will hear us and update TLS. Security is important, especially on “public” usable Wi-Fi.

Special thanks to “X.” for bearing with me for each step. Without it, this article wouldn’t have existed.

If this article has been useful for you, consider to leave a small donation (paypal) or buy me a virtual coffee! Your support is really important, and knowing that, makes me happy.

The rabbit hole of being curious

dag7+ifyourenotallmpleaseremovethis@protonmail.com (Dag) — Sun, 20 Oct 2024 00:00:00 +0000

Starting a new academic year

A new academic year has started. Well, not today, but a month ago.

Geez, time flies.

It is strange how every academic year feels like the first one but with the knowledge of the previous ones. It is like a new game plus, but with the same character and more skills: scared of the unknown, but with the knowledge of the past.

Anyway, here’s the story: I’ve started some brand new courses. I always have been curious about the world, especially for the things that are related in my field of study.

Informatics is divided into many branches, but I think the major ones are:

Backend programming: the part of the software that is not visible to the user, you know, “the magic under the hood”
Frontend programming: the part of the software that is visible to the user, the “part that the user sees”
DevOps: the part of the software that is related to the deployment and the maintenance of the software, fundamental skill for a developer, but also for a system administrator
Security: the part of the software that is related to the security of the software, the “part that keeps the software safe”

During the years, I’ve explored many of these branches, I’m currently working as a backend developer and DevOps, but I’ve always been interested in the security part. It is fascinating how a software can be secure or not, and how a software can be exploited by a malicious user.

Because, after all, user is the most unpredictable part of the software.

Knowing how to write a good and a bad software is a fundamental skill. Knowing how to break it, it is even more important because you can understand how to protect it and how to write a more secure software.

The rabbit hole

Yesterday I got up in the morning, and started to study like a fool. I was highly demotivated: this is related to the fact that I’ve attempted a couple of exams in the past, and I’ve failed them. I’ve studied a lot, but I’ve failed them.

I was demotivated, but I’ve decided to try again.

This time is different: I’ve started to study two courses, one about the security of the software and the other one is about malware analysis.

It is impossible to explain how much I’m enjoying them: the stuff is exactly what I was looking for years, but I never dared to study by myself, because I was scared of its complexity.

Well, they are not easy: they are definitely not easy, but I don’t think they are impossible, and being in an universitarian environment, I can ask for help if I need it or if I’m stuck, while alone at home, I cannot ask for help, and I’m stuck with my thoughts.

So, until now, I’ve been studying a lot, and I’ve learned a lot of things.

Everytime I’ve finished a lesson, I had a dopamine rush, and I wanted to know more about it, in particular by consuming videos and articles.

It would be a good idea:

to write some articles about security and malware analysis, what I’m learning, to not forget them
update my notes with the new things I’m learning

On Curiosity

I will never understand why I get in love with things I don’t know. When I grasp a new concept, I feel like I’m in love with it, and I want to know more about it, but this is applied to every unknown field and leads me to a rabbit hole of curiosity.

Unfortunately the time is limited, and I cannot explore everything I want with the depth I want.

I’m a curious person, and I will always be.

xoxo, Damiano

p.s. very soon I will start in reading “Atomic Habits” by James Clear, I’ve heard a lot of good things about it, and I’m curious to know more about it. I will write an article about it, for sure.

p.p.s. I’m so happy that I’ve finally have found some time to write an article: it makes me feel good.

Shadowcopy

dag7+ifyourenotallmpleaseremovethis@protonmail.com (Dag) — Mon, 07 Feb 2022 11:52:34 +0100

Summertime sadness

Losing files, especially if important, is always an unpleasant sensation, that anybody should avoid in their entire life.

It feels you dumb, because you could have done a backup, frustrated because of “why me?”, occasionally mad with all the machines in the world and really sad about the loss of your files.

Most especially, if this happens in critical situation, like you’re going on holiday and you’re transferring your files between two of yours hard drive because “hey, what a wonderful idea to free some space from the hard drive the night before leaving! What could ever go wrong?”, it could entirely ruin your relaxing vacation.

If anything can go wrong, it will — Murphy’s Law¹

What can we do?

Well, there are not many solutions; you could:

use specifically designed software for data recovery
- the best open source tool is PhotoRec: however is very slow
recover them by using a backup: it is important to have a backup hard drive, always save your files at least twice. But probably if you’re reading this article you are in troubles…
use Medicat USB which contain A LOT of tools
finally, if you’re lucky enough to have shadow copy enabled on your system, using shadow copies, which is the reason why you’re here

What the shadow copies are… G-Gengar?

Under a full moon, this Pokémon likes to mimic the shadows of people and laugh at their fright. — Pokémon Red & Blue

What does this mean?

If you’re lucky enough to have this service enabled on your machine², Windows keeps a snapshot (copy) of all your data files and folders, to let you recover them in a second moment, in case of data loss or something’s gone wrong.

How to recover data

Download Shadow Explorer and unzip the archive in a folder.

Run the executable file.

A list of snapshot will be listed, select the snapshot you want and… boom, your files are back on track, ready to be used!

Lesson learnt

Always have a backup, but in case you don’t, it is always useful to know these awesome tricks!

First Murphy’s Law ↩︎
needs more research: is it enabled by default? ↩︎