# eduroam Development VC Minutes 2022-04-26 1530 CEST
# Attendance
## Attendees
* Stefan Winter (Restena)
* Zenon Mousmoulas (GRNET)
* Arnaud Lauriou (RENATER)
* Maxime Houlbert (RENATER)
* Tomasz Wolniewicz (PSNC)
* Sara Jeanes (Internet2)
* Guy Halse (TENET)
* Louis Twomey (HEAnet)
* Maja Górecka-Wolniewicz (PSNC)
* Zbigniew Ołtuszyk (PSNC)
* Paul Dekkers (SURF)
* Mike Zawacki (Internet2)
* Chris Phillips (CANARIE)
* Philippe Hanset (ANYROAM)
* Stefan Paetow (Jisc)
* Edward Wincott (Jisc)
## Regrets
# Agenda / Proceedings
1. Welcome / Agenda Bashing
2. Recommendations for Wi-Fi 6E
* now online! https://eduroam.org/eduroam-deployment-considerations-on-wi-fi-certified-6e/
* Wi-Fi 6 and 6E are different things (6 = IEEE 802.11ax, which you can get on all frequency bands; 6E = IEEE 802.11ax on the 6 GHz band specifically)
* please keep an ear on the ground for issues as they manifest
3. CAT code (CAT / Managed IdP / Managed SP)
* one more translation round coming
* A !=a is not the same hex number for some OSes
* CAT produced capitals because one vendor requireD it
* now the vendor switched, and CAT now produces capitals but the vendor switched to small letters instead -> CAT profiles don't connect
* SW needs to get confirmation that small letters are now what the vendor wants; code to be changed in that case
4. openssl 3.0 and EAP-TLS client certs
* openssl 1 uses by default an RC4- cipher to encrypt the private key with the password
* openssl 3 refuses to decrypt this, because of "legacy"
* when generating a client cert on openssl 1, use the "-descert" option
* when decrypting a "legacy" client cert on openssl 3, use the "-legacy" option
* no effect on-the-wire; private key is used "raw" there, post-decrypt. No change to cert size in EAP, no effect on MTU, etc.
5. openssl 3.0 and TLS versions / insecure renegotiation
* by default, no insecure renegotiations
* these typically only occur in TLS 1.0 / 1.1
* wpa_supplicant and NetworkManager will fail horribly in face of an EAP server needing this
* strangely enough, wpa_supplicant is patched to exceptionally allow this and override the insecurity
* It shouldn't be that way. Everyone should support TLS 1.2+ these days.
* NPS up until Windows Server 2016 seems to be hit by this by default (but has gone end of Mainstream Support this Jan!)
* Bug reports suggest some Aruba built-in EAP server does the same (no version info available)
6. What next on geteduroam.app / roadmap? (added by CP)
* Questions on Mac support, wired 1X support.
* New version for Android in the works. ETA "later this year".
* Mac support is difficult because APIs are less rich as the iOS ones. Can workaround this by installing a mobileconfig silently.
* Fluctuations in the dev team, but going strong.
* Sustainability? Reminder that this is in the Commons Conservancy; not just a hobby project. Also accepts donations ;-)
7. AOB / next VC: 05 July 2022 1530 CEST