"Cannot verify hostname" with StartSSL class 1 certificate



  • Hi,

    Issue: DAVdroid can't connect my server ownCloud 6 and returns "Cannot verify hostname" during the carddav or caldav account creation
    DAVdroid version: 0.5.12-alpha version.
    Android version: 4.4.2
    Certificate: StartSSL class 1
    CalDAV URL: https://my_domain/remote.php/caldav/
    CardDAV URL: https://my_domain/remote.php/carddav/

    Workaround:
    I use "CardDav-Sync free" and "CalDav Sync Adapter" which work both fine with my server. But I would prefer use a single open source application for carddav and caldav.

    More Info:
    No error returned by https://www.ssllabs.com/ssltest/analyze.html (Rating A+)

    • Protocols: TLS 1.2 (Yes); TLS 1.1 (Yes); TLS 1.0 (Yes); SSL 3 ( Yes); SSL 2 (YesD)

    No error returned by http://www.sslshopper.com/ssl-checker.html

    • The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
    • The certificate was issued by StartCom.
    • The certificate will expire in 364 days
    • The hostname is correctly listed in the certificate.

    I tested the same DAVdroid application with a self-signed certificate and I was able to connect my server but the limitation on the PIN/password for unlocking the device and the fact that the certificate has to be deployed on each terminal is a clear show stopper for me.

    Any help is welcome...

    Thank you.


  • developer

    Is your server configured to send the intermediate class 1 certificate? Can you please check whether all StartSSL certificates from the chain are either in your device's trust store (Settings / Security / Certificates) or in the chain sent by the server?



  • arf! I was checked twice. Thank you for you help.
    I used https://sslcheck.casecurity.org/ to verify my certificate chain. The site is based on ssllabs but have a better display than ssllabs. I was an issue with the StartSSL CA certificate.

    As the other applications (owncloud, "CardDav-Sync free" and "CalDav Sync Adapter") are able to behave like web browser, it's not so easy to investigate the problem.

    Could you update the FAQ http://davdroid.bitfire.at/faq/entry/cannot-verify-hostname in order to add one bullet per issue that we have to verify and for each point specify some guide lines? For example, how we can use the SSL testing service to check the certificat supply chain (or openssl command line).

    Is it possible that DAVdroid returns a better error message? ('certificat supply chain error', 'self-signed certificate not allowed', etc...)

    Anyway, thank you very much for your support.
    Now, DAVdroid is able to connect my owncloud server :)


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.