Accept self-signed certificates

  • @unsacred666 no, self-signed certs are not a solution, a self-created CA is. Yes, it is more hassle, but there’s software that makes it easier, and it is WAYS more secure than self-signed, not to mention that if you protect multiple services you only have one cert to add.

  • @viq I don’t know of any difference between a self-signed cert and a self-created CA that signes certs. In both ways your cert is not pre-deployed on the device.
    Also both have the same disadvantage, that even when you use one of them, a compromised trusted CA can issue a new certificate for your domain playing MitM. MitM attacks can only be prevented by pinning your self-signed cert or self-created CA. See for more information about pinning in Android 4.2

  • @dschuermann I’d have to find it again, saw some security person talking about CA giving you much greater control than a simple self-signed cert.

  • I would like to use my own self-sign certs as well, so please find a solution how people can use there own certs and are not depending on third partys.

  • developer

  • @rfc2822 AndroidPinning would need a user interface to add pinned certs/pub keys. Currently it is only useful to hardcode a pinned cert/pub key.

  • @rfc2822 I tried it with an self-signed certificate and got the above error. Then i created a certificate from (class 1) and still get the error:“E/A-Fehler: No peer certificate”.
    Maybe a caching problem?

  • @rfc2822 Same problem to me, I transferred my Owncloud server 5.0.12. During the transfer I also tried self signed certificates for testing. After that davdroid is not accepting my startssl certificate any more, all the other apps and also the software of my debian system is still working fine… Anyway, thanks for the cool FOSS app!

  • @hubgitti @rfc2822 Sorry, I had a typo in the SSL config of the webserver for CA and chain file. The other applications just didn’t bother…

  • I have to point out that merely setting up davdroid to use my self-signed cert requires me to alter the fundamental way in which I use Android.

    If CM had working encryption, I’d be using passworded devices, but as it stands PINs/Passwords are useless. Yet in order to import my certificate I must set one up. I understand that this is Android’s fault for including bizarrely specific security settings when there are a million more UI holes but it is rather silly to not accept certs on the app level.

    Thanks for a great program, though. I look forward to using it someday.

  • It is relevant that both StartSSL and CACert offer free keys, but they only offer free keys that expire after, what, six months or a year? No user wants to have to go screw around on the command line and generate a new certificate file to copy to their phone to import to their security settings every six months.

    Lack of simple self-signed SSL support is a show stopper. This is definitely a deciding issue for me, and I’m sure there are many others who feel the same. 😞

    Also, a question. With Apache, when we’re self-signing, we get a crt. Can that be imported directly?

  • With Apache, when we’re self-signing, we get a crt. Can that be imported directly?


  • +1 for an implementation of certificate pinning.

    I definitely agree that importing your own CA into Android would be the ideal solution, that is in fact what I’ve done for myself, but that just isn’t feasible for the average user.

    • First of all, going through the procedure of importing the certificate is not something that I can explain to my average family member; so I’ll have to do it for them.

    • This isn’t your fault but an Android implementation clusterfuck, but I can’t explain to them that because of “this new calendar thingy” they suddenly can’t use their pattern unlock anymore but have to use a pincode instead.

    • Also an implementation clusterfuck, as if Google is receiving a fat pile of money from the large certificate authorities to make it as unattractive as possible to import custom ones, importing a custom CA causes a “An unknown party is capable of monitoring your internet connection” warning to be displayed at startup and added to the notification area permanently. Can’t explain that one either.

    These things make davdroid unsuitable for anyone but power users, while I’d love to be able to recommend it to all of my friends and family.

    And, as someone has said earlier, depending on your paranoia level a certificate pinning system might be even more secure than importing your CA: if you do the latter, any of Android’s 100 trusted CA’s that you’ve never even heard of can still generate a valid certificate for your domain which would probably go completely unnoticed; while pinning would alert you about it/prevent it.

  • The actual procedure to add a certificat is too much complicated.

    I tried to access to my owncloud server on a mutualised server for using with mirakel (tasks manager) without success.

    All of us are not developper! 😉

    Please add the option to make it simple and accept the help of dschuermann.

  • developer

    Do you know if MemorizingTrustManager works with sync adapters / whether sync adapters can create a GUI?

  • @rfc2822 Yes, I think it should work. It will show a notification when the certificate can not be validated including a pending intent which results in the dialog provided by memorizingtrustmanager.

  • Hi, the same for me, self-signed certificate .crt, cannot get DAVDROID to work with this certificate “Cannot verify hostname”. The news app for owncloud let me bypass this hostname verification, and i’m very happy with that.
    +1 to warn the user, but let him the freedom to accept or not this unsecure way (in my case, the contacts and calendar are public anyway, so I don’t need a secure solution, I need a Working solution.)
    I just paid for Davdroid, and can’t use it 😞

  • developer

    1. Do you have SNI? 2) If your data is public and you don’t need security for your data (including name/password), why don’t you use HTTP instead of HTTPS? This will save your client’s and server’s resources.

  • @rfc2822, as an aside, https does not cause any noticable performance loss over http. That’s an old issue that is non-existent now

  • developer

    @ainola I strongly advise to use HTTPS wherever possible for privacy reasons, but how shall it work that SSL doesn’t use resources? For every connection, there has to be a key exchange (preferably with PFS) which uses CPU and network resources, while the symmetric block encryption is quite cheap (but not non-existent).

Similar topics