4. Self-signed SSL-Certificates

Self-signed SSL-Certificates

  • A

    I'm pretty sure you know about the "Network may be monitored"-"bug", as you wrote about it in the FAQs. For me this thing is pretty annoying and i am sure, android won't be changed back again, so i dislike the way DAVdroid needs to handle self-signed certificates (Don't get me wrong, from a developers pov, this is the best suited solution! But it is annoying for the user).

    As the usage is nearly impossible for a non-IT-guy, i'd like to suggest to handle those certificates like several other applications (for example owncloud): Make it possible to import the certificate in the creation of an account.

    I searched in the owncloud app, how they do it, and it looks pretty simple to me: https://github.com/owncloud/android/blob/master/src/com/owncloud/android/ui/dialog/SslUntrustedCertDialog.java

    0
  • R
    developer

    Thanks for your suggestion. This was discussed extensively in #3, please see there. Summary:

    1. Implementing a private certificate storage for DAVdroid is non-trivial and many things would have to be implemented, for example: GUI and functionality for importing a certificate, GUI and functionality for viewing installed certificates, GUI and functionality for removing installed certificates, integration with the multi-threading HttpClient library connection pool.
    2. All these things would be redundant and – while theoretically nice to have – are less important than all the other missing features, and our time resources are limited.
    3. Pull requests and existing solutions we have found are not satisfactory and don't implement all the things metioned in (1).
    4. The code from Owncloud you mention seems to be the GUI for importing a certificate. The "real code" is in com.owncloud.android.lib.common.network.NetworkUtils. Also, I don't think they're using a multi-threaded pool with HttpClient library and I also wonder whether there are options for viewing and removing already accepted certificates (crucial after Heartbleed, for example).
    5. We have created CAdroid to allow users importing their self-signed certificates into the Android storage more easily.

    So, thanks again for your suggestion, but at the moment, there's nothing to be added from our side.

    0
duplicate 131