Accept self-signed certificates


  • Well,there are also StartSSL and CAcert where you can get a signed certificate for free.


  • @kaimi nope, I tryed it with CM10.1. That function is intended to import CA certs. It installs the pub cert sucessfully, but it dont appears in the cert store, and is not available to apps wich would make sense if its just for CA certs. but maybe this is a bug in CM, I dont know…

    @viq yes sure! but since that NSA leak for me and many other ppl CA companys are compromised and dead of trust now. Selfsigned certs are the last and best way remaining to use pki… 2ct


  • Off course, you are under no obligation to spend time on features you don’t need. But I would like to ask you to reconsider taking up the original submitter’s offer for help.

    There are three reasons I would like to submit:

    • Say, I run a server with a self-signed certificate and would like family members to set up their phones to sync with accounts on that server. Importing a certificate is something that they will not be able to do without my help (and that they might even consider too much a hassle with my help), whereas choosing “accept” once on a dialogue is acceptable for them. It’s not a small difference, in their eyes it’s the difference between “no problem” and “these open source apps are so complicated, a normal person cannot use them”.

    • A lot of other apps use the “display dialogue on first contact” approach to self-signed certificates, so many users will be familiar with that (e.g. OwnCloud file sync, Gibberbot etc.)

    • Even as a fairly technically inclined person, I would have to need to search for a tutorial in order to find out how to get a .pem file for the certificate of some else’s server. As sharing access to private servers (that often have self-signed certificates) is one of the major use cases for this app (think calendar sharing in the family or the office), a solution which can be applied by the average user without need to consult handbooks or web sites would be very useful.

    Thank you for your great work!


  • @unsacred666 no, self-signed certs are not a solution, a self-created CA is. Yes, it is more hassle, but there’s software that makes it easier, and it is WAYS more secure than self-signed, not to mention that if you protect multiple services you only have one cert to add.


  • @viq I don’t know of any difference between a self-signed cert and a self-created CA that signes certs. In both ways your cert is not pre-deployed on the device.
    Also both have the same disadvantage, that even when you use one of them, a compromised trusted CA can issue a new certificate for your domain playing MitM. MitM attacks can only be prevented by pinning your self-signed cert or self-created CA. See http://nelenkov.blogspot.de/2012/12/certificate-pinning-in-android-42.html for more information about pinning in Android 4.2


  • @dschuermann I’d have to find it again, saw some security person talking about CA giving you much greater control than a simple self-signed cert.


  • I would like to use my own self-sign certs as well, so please find a solution how people can use there own certs and are not depending on third partys.

  • developer


  • @rfc2822 AndroidPinning would need a user interface to add pinned certs/pub keys. Currently it is only useful to hardcode a pinned cert/pub key.


  • @rfc2822 I tried it with an self-signed certificate and got the above error. Then i created a certificate from startssl.com (class 1) and still get the error:“E/A-Fehler: No peer certificate”.
    Maybe a caching problem?


  • @rfc2822 Same problem to me, I transferred my Owncloud server 5.0.12. During the transfer I also tried self signed certificates for testing. After that davdroid is not accepting my startssl certificate any more, all the other apps and also the software of my debian system is still working fine… Anyway, thanks for the cool FOSS app!


  • @hubgitti @rfc2822 Sorry, I had a typo in the SSL config of the webserver for CA and chain file. The other applications just didn’t bother…


  • I have to point out that merely setting up davdroid to use my self-signed cert requires me to alter the fundamental way in which I use Android.

    If CM had working encryption, I’d be using passworded devices, but as it stands PINs/Passwords are useless. Yet in order to import my certificate I must set one up. I understand that this is Android’s fault for including bizarrely specific security settings when there are a million more UI holes but it is rather silly to not accept certs on the app level.

    Thanks for a great program, though. I look forward to using it someday.


  • It is relevant that both StartSSL and CACert offer free keys, but they only offer free keys that expire after, what, six months or a year? No user wants to have to go screw around on the command line and generate a new certificate file to copy to their phone to import to their security settings every six months.

    Lack of simple self-signed SSL support is a show stopper. This is definitely a deciding issue for me, and I’m sure there are many others who feel the same. 😞

    Also, a question. With Apache, when we’re self-signing, we get a crt. Can that be imported directly?


  • With Apache, when we’re self-signing, we get a crt. Can that be imported directly?

    No.


  • +1 for an implementation of certificate pinning.

    I definitely agree that importing your own CA into Android would be the ideal solution, that is in fact what I’ve done for myself, but that just isn’t feasible for the average user.

    • First of all, going through the procedure of importing the certificate is not something that I can explain to my average family member; so I’ll have to do it for them.

    • This isn’t your fault but an Android implementation clusterfuck, but I can’t explain to them that because of “this new calendar thingy” they suddenly can’t use their pattern unlock anymore but have to use a pincode instead.

    • Also an implementation clusterfuck, as if Google is receiving a fat pile of money from the large certificate authorities to make it as unattractive as possible to import custom ones, importing a custom CA causes a “An unknown party is capable of monitoring your internet connection” warning to be displayed at startup and added to the notification area permanently. Can’t explain that one either.

    These things make davdroid unsuitable for anyone but power users, while I’d love to be able to recommend it to all of my friends and family.

    And, as someone has said earlier, depending on your paranoia level a certificate pinning system might be even more secure than importing your CA: if you do the latter, any of Android’s 100 trusted CA’s that you’ve never even heard of can still generate a valid certificate for your domain which would probably go completely unnoticed; while pinning would alert you about it/prevent it.


  • The actual procedure to add a certificat is too much complicated.

    I tried to access to my owncloud server on a mutualised server for using with mirakel (tasks manager) without success.

    All of us are not developper! 😉

    Please add the option to make it simple and accept the help of dschuermann.

  • developer

    Do you know if MemorizingTrustManager works with sync adapters / whether sync adapters can create a GUI?


  • @rfc2822 Yes, I think it should work. It will show a notification when the certificate can not be validated including a pending intent which results in the dialog provided by memorizingtrustmanager.


  • Hi, the same for me, self-signed certificate .crt, cannot get DAVDROID to work with this certificate “Cannot verify hostname”. The news app for owncloud let me bypass this hostname verification, and i’m very happy with that.
    +1 to warn the user, but let him the freedom to accept or not this unsecure way (in my case, the contacts and calendar are public anyway, so I don’t need a secure solution, I need a Working solution.)
    I just paid for Davdroid, and can’t use it 😞

Similar topics

  • 11
  • 7
  • 8