Custom certificate broken on Android 4

rfc2822

Could you please provide steps to reproduce? I’d really like to have a look at this, but I can’t reproduce the problem and so I just can’t do anything except wondering why it doesn’t work.

solstag

@rfc2822 thanks for the reminder and sorry for overlooking that.

All I do to reproduce is tell DavDroid to sync, this started happening without any config changes either server or client side, just after a recent update. As I mentioned I am guessing it is related to 1.3 when support for custom certs on newer android was introduced.

Info is here:

SOFTWARE INFORMATION
DAVdroid version: 1.3.2.2-ose (120) Sun Oct 09 09:51:43 CEST 2016
Installed from: org.fdroid.fdroid
JB Workaround installed: no

CONFIGURATION
System-wide synchronization: automatically
Account: xxx
Address book sync. interval: manually
Calendar sync. interval: —
OpenTasks sync. interval: —
WiFi only: false
[CardDAV] Contact group method: GROUP_VCARDS
RFC 6868 encoding: true
[CalDAV] Time range (past days): 90
Manage calendar colors: true
Account: xxx
Address book sync. interval: —
Calendar sync. interval: manually
OpenTasks sync. interval: —
WiFi only: false
[CardDAV] Contact group method: GROUP_VCARDS
RFC 6868 encoding: true
[CalDAV] Time range (past days): 90
Manage calendar colors: true

SQLITE DUMP
android_metadata
| locale |
| fr_FR |
----------
settings
| setting | value |
| logToExternalStorage | 0 |
| distrustSystemCerts | 0 |
----------
services
| _id | accountName | service | principal |
| 1 | xxx-card | carddav | https://xxx/baikal/card.php/principals/xxx/ |
| 2 | xxx | caldav | https://xxx/baikal/cal.php/principals/xxx/ |
----------
sqlite_sequence
| name | seq |
| services | 2 |
| collections | 7 |
| homesets | 5 |
----------
homesets
| _id | serviceID | url |
| 1 | 1 | https://xxx/baikal/card.php/addressbooks/xxx/ |
| 5 | 2 | https://xxx/baikal/cal.php/calendars/xxx/ |
----------
collections
| _id | serviceID | url | readOnly | displayName | description | color | timezone | supportsVEVENT | supportsVTODO | sync |
| 2 | 1 | https://xxx/baikal/card.php/addressbooks/xxx/default/ | 0 | Default Address Book | Default Address Book for xxx | <null> | <null> | <null> | <null> | 1 |
| 7 | 2 | https://xxx/baikal/cal.php/calendars/xxx/default/ | 0 | Default calendar | Default calendar | <null> | <null> | 1 | 1 | 1 |
----------

SYSTEM INFORMATION
Android version: 4.4.4 (cm_crespo-userdebug 4.4.4 KTU84Q b7a4be7610 test-keys)
Device: Samsung Nexus S (crespo)

rfc2822

@solstag said in Custom certificate broken on Android 4:

All I do to reproduce is tell DavDroid to sync, this started happening without any config changes either server or client side, just after a recent update. As I mentioned I am guessing it is related to 1.3 when support for custom certs on newer android was introduced.

Thanks, but I would need steps which I can do to reproduce the problem. When I synchronize my account, everything works And I can’t debug a working configuration.

Does this happen on a fresh DAVdroid installation too?

solstag

Ok, I’ve found a workaround that kinda works for me.

1. open Davdroid
2. go to settings and switch on the option “Distrust system certificates”
3. now switch it off !
4. go to one of your accounts and request syncing
5. account gets synced (not sure if completely, but from a glance at changes it seems to work)
6. however, if you try syncing another account it does not work, you have to restart the procedure from the top

Hope this can help fix it !

rfc2822

@bodo Do you have “distrust system certificates” enabled? Do you use a custom certificate which is not installed in Android? Does this happen for a fresh DAVdroid installation, too? Did you disable notifications for DAVdroid?

I can’t reproduce this problem neither with Android 4.4 and a custom certificate, nor with “distrust system certificates” and a PKI-trusted certificate. On Android 5.1 and 6.0, everything also seems to work as expected and the tests are successful, too.

So I’d need far more information to have a look into this … including what certificate is used, steps to reproduce (since a fresh installation of DAVdroid) etc.

bodo

@rfc2822 I know your problem very well!
What about an account on my ownCloud server?
How to transfer username, password and url?

rfc2822

@bodo You could send it to play@bitfire.at (OpenPGP). I however doubt that it’s related to the server, it sounds like a local problem.

bodo

@rfc2822 You are right, it is a local problem.
I played around with the new account and as usual, it works
But I found the solution:
The host name of the url must exactly match to the host name (CN) of the certificate.
In my case I removed the “www.” in the DAVdroid config.
Now I added a new account to DAVdroid with the “www.” part in the url and it works fine.

This also happens on Test account.

Thanks

Bodo

solstag

Hi,

I ended up having to move my stuff to a server with a valid certificate for other reasons, so I won’t be able to help any further, thanks for the assistance.

The fact that the workaround works is the best clue I have on what could be wrong.

Cheers!

bodo

Seems to be solved with version 1.3.3.
Many thanks to rfc2822!