Added support for self-signed certificates using MemorizingTrustManager



  • This patch integrates MemorizingTrustManager as suggested in https://github.com/rfc2822/davdroid/issues/3

    MemorizingTrustManager is included as a git submodule (so updates should be automatically included when pulling).

    The patch has been modified to fit the new singleton pattern for TlsSniSocketFactory. The new version changes TlsSniSocketFactory and all the activities/services that may eventually use the TlsSniSocketFactory

    This isn't extensively tested, but it works on my phone with a self-signed certificate that does not have the CA extension set (importing this type of certificate into the android trust store did not help, as it is considered a "client" certificate). I tested on Cyanogenmod 11 M4.



  • pls merge to master-branch.. would be fantastic to use on ownclouds! thx for that patch!


  • developer

    pls merge to master-branch.. would be fantastic to use on ownclouds! thx for that patch!

    For discussion, see issue #3.


  • developer

    Thanks for your work and the pull request.

    I have created a branch to try your patch:
    https://github.com/rfc2822/davdroid/tree/memorizing-trust-manager
    and have encountered these issues:

    1. When adding a server with an unknown certificate, the dialog appears as expected. However, after clicking 'Always', the connections don't seem to be established because there's no progress in the resource detection. In the server logs (Apache mod_ssl), I get a single connection but its request times out (HTTP 408) so I guess the SSL connection is established but somehow not correctly passed to the HttpClient library. Do you have an idea what the reason may be?

    2. Then I forced DAVdroid to stop and tried again. Now, the dialog won't even appear, only the well-known "Cannot verify hostname" message.

    3. The library requires a Context for the GUI. When starting DAVdroid via the Main Activity, this context is set correctly. However, DAVdroid's main use is as a sync adapter. When Android tries to sync contacts/calendars and thus calls DAVdroid, it will try to connect to the respective HTTPS server. Now it's possible that the server has changed its certificate (for instance, because it has got a new one). This situation should be handled, so it seems reasonable to set the Context in DavSyncAdapter::DavSyncAdapter, too. Or did you intentionally leave this out?

    (Posted here instead of #3)



  • is there anything I can do to help? should I download an apk and try it on my MotoG/CM11?



  • @rfc2822 I can't recreate your problem (my connection succeeds at first try, both on my phone and in the emulator). Is it consistent? Could it be something to do with the specific certificate or with the server configuration? (I'm also testing against apache mod_ssl)

    After the force-stop, you may have created some problem in the memorizingtrustmanager's database. We should probably add an option to delete the database, both as a last resort to handle problems like this and to allow a simple reset of the stored certificates (this can be done simply by deleting the app_KeyStore/KeyStore.bks file)

    Regarding issue (3), I may have put the context setting in the wrong places: I modified AccountAuthenticatorService, AddAccountActivity, CalendarsSyncAdapterService and ContactsSyncAdapterService. Should it be in DavSyncAdapter too (or only)?

    For testing the popup during a sync, is there an easy way to cause a sync without going through the main activity? (e.g., if I start the sync from the account settings page, is that in the main activity?) By erasing the KeyStore.bks file, you can simulate a certificate change without actually having to reconfigure the web server; I tested this and did get the memorizingtrustmanager popup.


  • developer

    Seems to work now. I will do some tests in the next time and then merge it to master.

    Do you know if the MemorizingTrustManager handles multiple threads correctly? There may be two threads synchronizing contacts and events at the same time, and if the server certificate has changed, both threads would require attention at the same time.


  • developer

    I also wonder whether it's safe to set the Context statically. Wouldn't it be better to create separate MemorizingTrustManager instances for the Main Activity and each sync service (because each of them has a separate Context)? This would require to have several TlsSniSocketFactory instances, too.


  • developer

    See also https://github.com/ge0rg/MemorizingTrustManager/issues/18 for the multi-threading issues.



  • @rfc2822 regarding the issues you had:

    1. is it possible that you answered the dialog after the connection timed out? MTM blocks the socket until a decision happens, at which time it might be too late.

    2. Probably MTM added the cert into its storage, but fails to verify due to a hostname mismatch. I am still missing code to allow "invalid" hostnames if the cert is in MTMs store, but deny them if it is not.

    3. Not sure how @ducktayp implemented it, but by default MTM falls back to a Notification if no Activity is present.

    HTH.



  • I suppose this means a WONTFIX, which is a real pity.

    @ducktayp Do you plan to maintain the fork?



  • @ge0rg I do, since I use it myself. However, it might lag a bit behind the official version ("real life" sometimes interferes with the really important things, like maintaining forks). I'd much rather it be in mainline.



  • @ducktayp could you release an apk for your fork?



  • here is the APK I have compiled from 0.5.14-alpha from duckatypes repository for personal use. Of course you have to trust me if you download. But this is what this thread was about: having an official build with MTM.
    davdroid apk (rename to .apk)



  • Thanks :+1:



  • Can someone provide a recent build? The latest binary I found was for 0.6.7 (https://github.com/ducktayp/davdroid/releases/tag/v0.6.7-MTM).



  • you can get 0.7 here: https://github.com/paroj/davdroid
    will create a 0.8 build in the next days..



  • @paroj There is no 0.7 release available at your repo.

    EDIT: I found it somewhere burried in your commits (https://github.com/paroj/davdroid/blob/f8c1d85c1be52c2cdf9db76a9ecfa3360842f71d/davdroid-0.7-release.apk). You should tag the release.



  • its just in the root of the repository... but I can put an additional downlaod link in the readme.



  • 23.06.2015 Pavel Rojtberg:

    its just in the root of the repository... but I can put an additional
    downlaod link in the readme.

    Thank you very much for your effort and support! I deeply appreciate this!

    Cheers to you

    Roy


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.