SSL Cert apparently not accepted on Android 4.1.2

AutoImport-timreeves

I’m using 0.5.6a, on my Galaxy Tab3 with 4.2.2 it works. But not on my Note II with Android 4.1.2. The domain is lasslos.net, secured with a Webserver Certificate from StartCom Ltd. This works fine on all PC-based browsers, and as stated, on the Tab3. I have checked that the URL is correct by switching to http://, which then works. But I don’t think it is a completely Android problem, because CardDAV Sync works with the same URL over SSL.

rfc2822

Is there an intermediate certificate and is it included in the certificate chain? See comment 9 here: https://code.google.com/p/android/issues/detail?id=21632

Unfortunately, I can’t look what CardDAV Sync does better because it’s not open-source and I doubt that it will ever be.

AutoImport-timreeves

Thanks for the quick reply! But yes, I have double checked and I did include the CA certificate part, as provided by StartCom, the one called sub.class1.server.ca.pem, which can be downloaded here: http://www.startssl.com/certs/ I’m not quite sure though what you mean by “is it included in the certificate chain”. I run a VPS with Ubuntu 12.04, administered via Plesk 11.5, and have entered all certificate parts offered there - CSR, Private Key, Certificate and CA Certificate. I also called the Domain via https in Firefox on the offending Smartphone - no problems.

rfc2822

I’m not quite sure though what you mean by “is it included in the certificate chain”.

Basically, only the “root CA certificate” for a CA needs to be in the trusted certificate storage. However, CAs often don’t have just one certificate but several “intermediate certificates” (for instance, for various product lines) which are all signed by the root certificate.

If your device only contains the root certificate but your server’s certificate is signed by the intermediate certificate, there’s one missing certificate in the so-called certificate chain and the server certificate can’t be verified. In this case, your server would have to send not only the server certificate but also the intermediate certificate.

✓ root CA (in trust store) signs
✓ server certificate (received via SSL)
→ server cert can be verified

vs

✓ root CA (in trust store) signs
X intermediate certificate (*missing* when not in trust store or received via SSL), signs
✓ server certificate (received via SSL)
→ server cert can't be verified

http://www.startssl.com/?app=21 So do you have SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem in your server config?

If that’s not the problem, can you post the domain name or send it to play@bitfire.at?

AutoImport-djlucas

Having the same problem with a Comodo cheap SSL cert. The intermediate is in place as it should be (single file). The closed competitive products work, as do browsers, but I’d much rather support an open source initiative. Appears to be the same issue. Perhaps SNI is the cause? Feel free to bounce off of my server for testing. https://mail.lucasit.com/SOGo/dav Shouldn’t need an account for verifying SSL…

rfc2822

@djlucas: Your certificate chain is incomplete, see https://www.ssllabs.com/ssltest/analyze.html?d=mail.lucasit.com or https://www.sslshopper.com/ssl-checker.html#hostname=mail.lucasit.com (last warning)

rfc2822

@timreeves Can you also check your domain with SSLTest from Qualys SSL Labs any other SSL checker?

AutoImport-timreeves

  I've attached the result page here.

[Edit: removed output, view at: https://www.ssllabs.com/ssltest/analyze.html?d=lasslos.net]

rfc2822

@timreeves

I’m using 0.5.6a, on my Galaxy Tab3 with 4.2.2 it works. But not on my Note II with Android 4.1.2.

As you can read on https://www.ssllabs.com/ssltest/analyze.html?d=lasslos.net, this site will only work with SNI support. SNI support in available in Android 4.2+ but not in 4.1, so that’s the problem.

Without SNI support from Android, DAVdroid will receive the certificate for the Web server’s main host: “tausys.net” and will reject the connection.

Please note that this problem is described in http://davdroid.bitfire.at/faq at “I always get the error message “Cannot verify hostname” or “No peer certificate” when accessing my server that uses a self-signed certificate.”.

In the FAQ, please also read “Does DAVdroid support Server Name Indication (SNI)?” where you can find suggestions on how to get it working even without SNI.

AutoImport-djlucas

I am so very sorry, it is incomplete! Browser didn’t complain. It’s been broke almost two weeks. It’ll be fixed this evening. Again, so sorry for the bogus report. Thanks for the test site though, should be handy to keep mistakes like that from happening.

rfc2822 notifications@github.com wrote:

@djlucas: Your certificate chain is incomplete, see
https://www.ssllabs.com/ssltest/analyze.html?d=mail.lucasit.com or
https://www.sslshopper.com/ssl-checker.html#hostname=mail.lucasit.com
(last warning)

---

Reply to this email directly or view it on GitHub:
https://github.com/rfc2822/davdroid/issues/161#issuecomment-33285297

–
Sent from my Android device with K-9 Mail. Please excuse my brevity.