Private Certificates Not Working Android 7.0 Nougat



  • The app MUST be updated

    To allow use of User certificate authorities (a CA certificate not from Verisign or such) the APP must allow in its security settings that user CAs can be used, and there are lots of settings around that.

    The link that I posted in the initial OP provides an overview to what need to b done.

    No DAVDroid to date have those settings, so for Android 7.0 only trusted certificates can be used, ie. letsencrypt.

    Please, compile it in already. It can be tested in the AVD emulator.



  • SO if your DAV server nginx or such has a self signed CA certificate, certificate and private key produced in your dorm room with easy-rsa or openssl

    and the ca certificate is added to android settings security install from storage

    it appears in android settings user credentials

    The alternative
    a trusted certificate you get from someone like letsencrypt, and it works based on the domain name in it and that it is signed by trusted authority appearing in android settings security trusted credentials system. because the certificate is presented by the ip the domain resolves to, there is a chain of trust.

    because google wants trusted credentials that are less hackable, the app needs to explicitly allow dorm room ca certificates. Man-in-the-middle attacks on corporate services apps like gmail is now much harder. The user can no longer by stupidity ignore certificate warnings and connect to impersonation sites. if app provider says only trusted, that’s the way it’s gonna be.



  • The popup to connect to untrusted ca certificate site still appears and you can say ignore

    However, an exception is thrown when DAVDroid actually tries to connect

    java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.



  • Article about the problem
    https://www.fastcompany.com/3042030/tech-forecast/the-huge-web-security-loophole-that-most-people-dont-know-about-and-how-its-be

    A root user certificate can see all traffic, replace ads on your https pages and the alike


  • developer

    Could you please check with DAVdroid 1.3? Both problems (user-installed CAs not trusted by default and the non-working process of accepting custom certificates) should have been solved.



  • I’ve got the app from F-Droid, there is no update yet.


  • developer

    @Bernd Please check as soon as they have compiled it.



  • F-Droid claimed they build every 24 h. Since that did not happen, there seems to be some manual action required on their part.

    1.3 was published 160902 at 10:22Z, some 37 hours ago.



  • DAVDroid 1.3-ose is now available from https://f-droid.org and it works for Android 7.0 Nougat



  • Still got synchronistation errors after the upgrade. I recreated the account and everything works now.
    Thanks for the support!
    Tschüss,
    Bernd


Log in to reply
 

Similar topics