Custom certificate broken on Android 4



  • Ni! Hi there,

    My phone runs Android 4 and DavDroid used to work fine with a custom certificate until recently.

    Now the logs show it halting during certificate validation:

    2016-10-12 17:30:45 2 [cert4android.CustomCertManager] Certificate not trusted by system
    2016-10-12 17:30:45 2 [cert4android.CustomCertManager] Querying custom certificate trustworthiness
    2016-10-12 17:30:45 0 [cert4android.CustomCertService$MessageHandler] Handling request: { when=0 what=1 target=at.bitfire.cert4android.CustomCertService$MessageHandler }
    2016-10-12 17:30:45 3 [cert4android.CustomCertManager$MessageHandler] Received reply from CustomCertificateService: { when=0 what=0 arg2=1 target=android.os.Handler }
    

    After these last messages the interface shows as if the synchronization continues, but it never finishes and the logs show nothing else, those are the last messages.

    I tried erasing certificates and reauthorizing them, but the result rests unchanged.

    Perhaps this is related to the recent changes required to make custom certs work with the newest version of android... somehow they're incompatible with older versions now ? : P

    Cheers and thanks!



  • Btw, on the server side logs all I see on each attempt is a single line like this:

    (IP ADDRESS) - - [12/Oct/2016:12:36:00 -0300] "-" 408 3853 "-" "-"

    Hope this helps.


  • developer

    Hello,

    Please provide steps to reproduce and debug info. What Android 4 version do you have? Android 4.0.3?



  • Well I have a similar problem.

    After 5 minutes I get further messages:

    2016-10-12 17:50:43 2 [cert4android.CustomCertManager$MessageHandler] Received reply from CustomCertificateService: { what=0 when=0 arg1=4 arg2=1 }
    2016-10-12 17:55:43 1 [cert4android.CustomCertManager$CustomHostnameVerifier] Certificate is in custom trust store, accepting
    2016-10-12 17:55:43 1 [dav4android.BasicDigestAuthHandler] Trying Basic auth preemptively
    2016-10-12 17:55:43 1 [dav4android.BasicDigestAuthHandler] Adding Basic authorization header for https://xxx
    2016-10-12 17:55:44 1 [HttpClient$1] <-- 207 Multi-Status https://xxx (301639ms)
    

    This happens for each calendar.
    So synchronization takes a long time.

    This behavior I'm watching since several weeks now.

    My configuration:
    owncloud 7.0.1
    Android-Version: 4.1.2
    DAVdroid-Version: 1.3.2.2-gplay


  • developer

    Could you please provide steps to reproduce? I'd really like to have a look at this, but I can't reproduce the problem and so I just can't do anything except wondering why it doesn't work.



  • @rfc2822 thanks for the reminder and sorry for overlooking that.

    All I do to reproduce is tell DavDroid to sync, this started happening without any config changes either server or client side, just after a recent update. As I mentioned I am guessing it is related to 1.3 when support for custom certs on newer android was introduced.

    Info is here:

    SOFTWARE INFORMATION
    DAVdroid version: 1.3.2.2-ose (120) Sun Oct 09 09:51:43 CEST 2016
    Installed from: org.fdroid.fdroid
    JB Workaround installed: no
    
    CONFIGURATION
    System-wide synchronization: automatically
    Account: xxx
    Address book sync. interval: manually
    Calendar sync. interval: —
    OpenTasks sync. interval: —
    WiFi only: false
    [CardDAV] Contact group method: GROUP_VCARDS
    RFC 6868 encoding: true
    [CalDAV] Time range (past days): 90
    Manage calendar colors: true
    Account: xxx
    Address book sync. interval: —
    Calendar sync. interval: manually
    OpenTasks sync. interval: —
    WiFi only: false
    [CardDAV] Contact group method: GROUP_VCARDS
    RFC 6868 encoding: true
    [CalDAV] Time range (past days): 90
    Manage calendar colors: true
    
    SQLITE DUMP
    android_metadata
    | locale |
    | fr_FR |
    ----------
    settings
    | setting | value |
    | logToExternalStorage | 0 |
    | distrustSystemCerts | 0 |
    ----------
    services
    | _id | accountName | service | principal |
    | 1 | xxx-card | carddav | https://xxx/baikal/card.php/principals/xxx/ |
    | 2 | xxx | caldav | https://xxx/baikal/cal.php/principals/xxx/ |
    ----------
    sqlite_sequence
    | name | seq |
    | services | 2 |
    | collections | 7 |
    | homesets | 5 |
    ----------
    homesets
    | _id | serviceID | url |
    | 1 | 1 | https://xxx/baikal/card.php/addressbooks/xxx/ |
    | 5 | 2 | https://xxx/baikal/cal.php/calendars/xxx/ |
    ----------
    collections
    | _id | serviceID | url | readOnly | displayName | description | color | timezone | supportsVEVENT | supportsVTODO | sync |
    | 2 | 1 | https://xxx/baikal/card.php/addressbooks/xxx/default/ | 0 | Default Address Book | Default Address Book for xxx | <null> | <null> | <null> | <null> | 1 |
    | 7 | 2 | https://xxx/baikal/cal.php/calendars/xxx/default/ | 0 | Default calendar | Default calendar | <null> | <null> | 1 | 1 | 1 |
    ----------
    
    SYSTEM INFORMATION
    Android version: 4.4.4 (cm_crespo-userdebug 4.4.4 KTU84Q b7a4be7610 test-keys)
    Device: Samsung Nexus S (crespo)
    

  • developer

    @solstag said in Custom certificate broken on Android 4:

    All I do to reproduce is tell DavDroid to sync, this started happening without any config changes either server or client side, just after a recent update. As I mentioned I am guessing it is related to 1.3 when support for custom certs on newer android was introduced.

    Thanks, but I would need steps which I can do to reproduce the problem. When I synchronize my account, everything works ;) And I can't debug a working configuration.

    Does this happen on a fresh DAVdroid installation too?



  • Ok, I've found a workaround that kinda works for me.

    1. open Davdroid
    2. go to settings and switch on the option "Distrust system certificates"
    3. now switch it off !
    4. go to one of your accounts and request syncing
    5. account gets synced (not sure if completely, but from a glance at changes it seems to work)
    6. however, if you try syncing another account it does not work, you have to restart the procedure from the top

    Hope this can help fix it !


  • developer

    @bodo Do you have "distrust system certificates" enabled? Do you use a custom certificate which is not installed in Android? Does this happen for a fresh DAVdroid installation, too? Did you disable notifications for DAVdroid?

    I can't reproduce this problem neither with Android 4.4 and a custom certificate, nor with "distrust system certificates" and a PKI-trusted certificate. On Android 5.1 and 6.0, everything also seems to work as expected and the tests are successful, too.

    So I'd need far more information to have a look into this :/ … including what certificate is used, steps to reproduce (since a fresh installation of DAVdroid) etc.



  • @rfc2822 I know your problem very well!
    What about an account on my ownCloud server?
    How to transfer username, password and url?


  • developer

    @bodo You could send it to play@bitfire.at (OpenPGP). I however doubt that it's related to the server, it sounds like a local problem.



  • @rfc2822 You are right, it is a local problem.
    I played around with the new account and as usual, it works :smile:
    But I found the solution:
    The host name of the url must exactly match to the host name (CN) of the certificate.
    In my case I removed the "www." in the DAVdroid config.
    Now I added a new account to DAVdroid with the "www." part in the url and it works fine.

    This also happens on Test account.

    Thanks

    Bodo



  • Hi,

    I ended up having to move my stuff to a server with a valid certificate for other reasons, so I won't be able to help any further, thanks for the assistance.

    The fact that the workaround works is the best clue I have on what could be wrong.

    Cheers!



  • Seems to be solved with version 1.3.3.
    Many thanks to rfc2822!


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.