Private Certificates Not Working Android 7.0 Nougat



  • DAVDroid app developer needs to opt in in app settings
    http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html

    This has not been done as of version 1.2.3. Therefore , no way to sync Android 7.0 with a private certificate authority


  • developer

    I don't understand what you mean. Could you please explain it further and provide steps to reproduce?

    Do you mean that you have added a custom CA to Android, and it's not being detected by DAVdroid? In this case, DAVdroid should treat it as it would not have been added to Android and ask whether to trust it.



  • Same problem on my Nexus 9 with Android Nougat. It hasn't been syncing since the upgrade to 7.0. Android just asks if it should trust an unknown CA. Answering "once" or "always" doesn't help. Davdroid worked without problems on Marshmallow.


  • developer

    @Bernd said in Private Certificates Not Working Android 7.0 Nougat:

    Same problem on my Nexus 9 with Android Nougat. It hasn't been syncing since the upgrade to 7.0. Android just asks if it should trust an unknown CA. Answering "once" or "always" doesn't help. Davdroid worked without problems on Marshmallow.

    Android asks, or DAVdroid/MTM asks?

    Could you please explain the actual problem, including steps to reproduce? Do you mean that you have added a custom CA to Android, and it's not being detected by DAVdroid? I don't have an Android 7 device for testing, and it make take some time to set up an emulator.



  • Ok, I've been using Davdroid with a self signed certificate that was imported by CADroid. Everything worked well up to the upgrade to Nougat.

    Davdroid shows a screen that the certificate was issued by an unknow CA if it starts to sync. In the windows (that covers ca 3/4 of the screen) it shows the certificate details. Davdroid asks if it should trust the certificate. It gives the options "cancel", "once" or "always". Answering "always" makes it vanish.

    I don't really know if it is an app window of Davdroid or a system message. In the task manager there's Davdroid in the window title.

    It always shows up twice, I suppose for calendar and contacts. I have one calendar and one addressbook to sync with a Baikal server.

    Androids account settings shows that there are synchronisation problems in the davdroid account. Last sync is from the day when I upgraded.

    I don't have the problem with my phone that runs Marshmallow. So I also think it comes from Androids new policy of handling certificates.

    I am not a developper but I think there are some changes that have to be made in Davdroid.


  • developer

    @Bernd said in Private Certificates Not Working Android 7.0 Nougat:

    Ok, I've been using Davdroid with a self signed certificate that was imported by CADroid. Everything worked well up to the upgrade to Nougat.

    I see. According to Android 7.0: Network Security Configuration, user-installed CAs are not trusted anymore by default.

    Davdroid shows a screen that the certificate was issued by an unknow CA if it starts to sync. In the windows (that covers ca 3/4 of the screen) it shows the certificate details. Davdroid asks if it should trust the certificate. It gives the options "cancel", "once" or "always". Answering "always" makes it vanish.

    Did this screen show up before Android 7, too? As far as I understand it, it should not have appeared before, if you have installed the CA system-wide.

    It always shows up twice, I suppose for calendar and contacts. I have one calendar and one addressbook to sync with a Baikal server.

    (A known problem, which is going to be fixed soon.)

    Androids account settings shows that there are synchronisation problems in the davdroid account. Last sync is from the day when I upgraded.

    Can you refresh the collection list in DAVdroid? When the popup shows up, it should work then.

    I don't have the problem with my phone that runs Marshmallow. So I also think it comes from Androids new policy of handling certificates.

    I guess it's a combination of MemorizingTrustManager problems plus the Android 7 changes, but I'd like to verify that.

    Can you try to

    1. terminate DAVdroid in the task manager,
    2. launch DAVdroid, go into an account, "Refresh CalDAV/CardDAV collections"
    3. if a popup appears, "always accept"
    4. terminate DAVdroid again
    5. lauch it again, go into this account, synchronize?


  • It hasn't shown up with Android 6.

    But your 5 steps helped. It syncs again :)

    I'll keep an eye on it ...



  • The app MUST be updated

    To allow use of User certificate authorities (a CA certificate not from Verisign or such) the APP must allow in its security settings that user CAs can be used, and there are lots of settings around that.

    The link that I posted in the initial OP provides an overview to what need to b done.

    No DAVDroid to date have those settings, so for Android 7.0 only trusted certificates can be used, ie. letsencrypt.

    Please, compile it in already. It can be tested in the AVD emulator.



  • SO if your DAV server nginx or such has a self signed CA certificate, certificate and private key produced in your dorm room with easy-rsa or openssl

    and the ca certificate is added to android settings security install from storage

    it appears in android settings user credentials

    The alternative
    a trusted certificate you get from someone like letsencrypt, and it works based on the domain name in it and that it is signed by trusted authority appearing in android settings security trusted credentials system. because the certificate is presented by the ip the domain resolves to, there is a chain of trust.

    because google wants trusted credentials that are less hackable, the app needs to explicitly allow dorm room ca certificates. Man-in-the-middle attacks on corporate services apps like gmail is now much harder. The user can no longer by stupidity ignore certificate warnings and connect to impersonation sites. if app provider says only trusted, that's the way it's gonna be.



  • The popup to connect to untrusted ca certificate site still appears and you can say ignore

    However, an exception is thrown when DAVDroid actually tries to connect

    java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.



  • Article about the problem
    https://www.fastcompany.com/3042030/tech-forecast/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be

    A root user certificate can see all traffic, replace ads on your https pages and the alike


  • developer

    Could you please check with DAVdroid 1.3? Both problems (user-installed CAs not trusted by default and the non-working process of accepting custom certificates) should have been solved.



  • I've got the app from F-Droid, there is no update yet.


  • developer

    @Bernd Please check as soon as they have compiled it.



  • F-Droid claimed they build every 24 h. Since that did not happen, there seems to be some manual action required on their part.

    1.3 was published 160902 at 10:22Z, some 37 hours ago.



  • DAVDroid 1.3-ose is now available from https://f-droid.org and it works for Android 7.0 Nougat



  • Still got synchronistation errors after the upgrade. I recreated the account and everything works now.
    Thanks for the support!
    Tschüss,
    Bernd


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.