@mrtuple Protecting against MITM with accepted certificates (either manually or by PKI) is not within the scope of DAVdroid. It would also mean that Basic auth would have to be disabled completely.
TLS is already a way to protect the connection – in my opinion, there's no need to implement "TLS in TLS". "Rogue IT staff" could see all private data (= not only passwords, but also events, tasks etc.) even when using Digest auth. It would also mean that Web-based logins over TLS (like every online bank uses it) is insecure.
But now this is a discussion about whether TLS connections are secure and whether Basic auth is evil, and I don't want to make these topics a discussion about DAVdroid.
Update: Maybe we should create an off-topic / general discussion forum for such things? What would you think?
So with that option commented out it's working fine, I'm on 18.104.22.168-ose from f-droid and android 7.
Apparently Android 7 supports only up to secp256r1, this was supposedly fixed in 7.1.1.
Aside that, a bit of a rant, why are gitlab issues not enabled and instead this forum is used as a bug report tool? I have to create yet another account and wade through 5 google captchas just to write this.
Maybe you can try entering https://example.com/webdav/user in your browser to see whether it works. Seems like a SSL error, and maybe you can check your network (try different WiFi / mobile data) and the server SSL configuration.
I wonder if you support HPKP. In case not, it would be awesome if you'll add support.
E.g. Posteo supports it and it can be easily implemented as it is just a HTTP header. However the result is a huge security improvement making MITM attacks much more difficult.
Due to security reasons, my owncloud is only accessable via client certificates . Currently all requests from my smartphone (Android 6) are rejected, even if i am able to access the server with chrome. (Chrome supports client certificates)
If you need a test environment, i can set up a testserver for you.
Well this is weird. I don't use CAdroid. I place SSL cert in webserver root. Navigate to it via web browser, then download and add to trusted credentials. This is how I have always performed this on my phone since initially I believe some time ago CAdroid did not like self signed certificates.
CAdroid is only a helper for the Android certificate import process. It downloads the certificate from a HTTPS server, saves it in the format required by Android and then calls the Android "Import certificate" dialog.
Android didn't like self-signed certificates without CA flag. So, CAdroid shows a warning for certificates without CA flag, because they won't work with most Android devices. Nothing more. So, if you can import your certificate using a browser, you can also import it using CAdroid, and the other direction.
However, this is only required if you need the certificate to be valid for all system apps (e.g. email app, etc.). If you import a certificate, it will be valid for all apps, including DAVdroid. However…
Is it possible to accept self-signed cert in DavDroid?
… if you only use the certificate with DAVdroid, there's no need to import it. DAVdroid handles self-signed certificates on its own using MemorizingTrustManager. So, if you connect to a server and add the certificate in DAVdroid, it won't show up in the system/user certificates, because only DAVdroid knows that its valid and stores it in its own keystore (<davdroid>/KeyStore/KeyStore.bks).
I do not see the cert in my user trusted credentials on the tablet. I don't believe I set this connection up via http, but cannot see how to check short of removing the account. Let me know if there is a way to check if this connection (account) web address without removing account.
I don't know what you mean. What exactly do you want to check?
Thanks. BTW paid for app (davdroid) in play store. This app is looking good design wise. Thanks.
Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.