Android 7.1 and higher allow halfways safe use of "Use System CAs" and the UI checks should reward it for that

[restena-sw]

From a mail from Ralf Paffrath on the eduroam SG list:

'on ANDROID 7.1.1 nougat you can configure “Use system certificates” and you can although
choose the domain (domain_suffix_match) e.g. radius server name the first time. If you choose Use system certificates you must
choose a domain_suffix_match also otherwise you can not go further.
So it is possible for an eduroam user to configure eduroam securely by the user interface without using eduroamCAT App if the IdP uses a PKI which RootCA is part of the system
certificates in ANDROID 7.'

But if you have installed eduroamCAT App already and use the user interface to configure eduroam securely the eduroamCAT App notifies there is something wrong with the eduroam configuration, some red checks: No CA certificate found and Server Subject Match missing. In both cases the notification are wrong because of the red checks and this is misleading for the eduroam user.

Expected behaviour:

if a system config has set both "Use System CAs" and "domain_suffix_match" then the CA info should not be an error (red), but a warning (yellow) stating:

"(!) All device CAs are trusted for this connection"

Also, if domain_suffix_match is set from end-user UI, the field "Server Subject Match" should go to green state.

[ghost]

hint: the android version is not a good identifier for this exception i've seen some Android 6 devices with this functionality and some Android 8 without... some do differ in extent of the features ege. some even allow to select a specific CA from storage (this maybe only Lineage OS but i'm not sure)...