@xav Thanks. Well, at least it’s now working, and maybe you can determine the suspicious client one day 🙂
IO error Cannot verify hostname <host>
-
Don’t go, I read [this page] (http://davdroid.bitfire.at/faq/entry/cannot-verify-hostname) ^^
I use radicale for the server, with a ssl key signed by gandi.net. I tested with [CalDav Sync adapter] (https://f-droid.org/repository/browse/?fdfilter=caldav&fdid=org.gege.caldavsyncadapter), all is OK, sync works. SSL is also OK, I tested with my browser, and it seems to work with CalDav sync adapter.
My problem : IO error Cannot verify hostname <host> with this configuration :
- https://host:5232/, with and without <user>/
- User and password are correct (tested with CDSA)
- Preemptive auth doesn’t change anything
I tried importing my server’s certificate, without results. Any idea ?
-
What is the domain? If you don’t want to make it public, please send it to play@bitfire.at. Did you test it with the SSL Labs SSL Testing Service linked in the FAQ?
-
It’s yamaworld.fr
ssllab doesn’t work for a port other than 443 -
Oh, is it because it’s not port 443, so it doesn’t find hostname “yamaworld.fr:5232” ?
-
no idea ?
-
No time yet.
-
no problem, it’s just a bit fustrating
-
Ok, found out that:
- https://yamaworld.fr:5232 works with Firefox/27 on my PC, but
- https://yamaworld.fr:5232 doesn’t work with Firefox/27 or the default browser on our Galaxy Note 10.1 (Android 4.1): “untrusted issuer”
So let’s have a look at the certificate chain with OpenSSL:
# openssl s_client -host yamaworld.fr -port 5232 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=yamaworld.fr i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA ---If I look in Firefox on my PC, I see this chain:
- UTN-USERFirst-Hardware (serial nr. 44:BE:0C:8B:50:00:24:B4:11:D3:36:2A:FE:65:0A:FD)
- Gandi Standard SSL CA (5A:B6:1D:AC:1E:4D:A2:06:14:C7:55:3D:3D:A9:B2:DC)
- yamaworld.fr (00:DC:BB:78:54:7E:47:7C:CF:61:72:62:DE:B7:91:0F:E9)
So the problem is that your server doesn’t send the the Gandi Standard SSL CA as an intermediate certificate. On devices where the Gandi Standard SSL CA is available by default, it works, but on Android devices, the intermediate certificate is not in the trust store by the default. However, UTN-USERFirst-Hardware is available:
.Configure your Web server to send the Gandi Standard SSL CA as an intermediate certificate
and it will work. Apache FAQ -
Strange, my android firefox worked on verifying ssl certificate… But it was that, it works if I use a crt+chain file instead of only crt. Thanks !
