I’ve tried it - still the same problem. But the number of successfully downloaded contacts has increased.
The contact in front of the exception is now a different one.
Any restart of the sync process causes downloading a few more contacts.
Andreas
Certificate validation fails for certificates with IP as common name
-
I am syncing my contacts via davdroid with an owncloud server which is only reachable by its IP address. For this server there is a certificate with the IP-adress as CN. That worked well up to davdroid 0.6.8. After upgrading from 0.6.8 to 0.6.10 sync always failes with the following message:
owncloud kontakte: javax.net.ssl.SSLPeerUnverifiedException: <IP Address> at at.bitfire.favdroid.webdav.TlsSniSocketFactory.establishAndVerify(TlsSniSocketFactory.java:118) at...When I try to add my acount with davdroid 0.6.10 I get a message that the certifiate is not issued for my IP address.
-
I was running into the same issue after update to 0.6.10, too.
-
I managed to work around this bug by issuing a new certificate with subjectaltname=“IP:<IP address>”.
Maybe the fix would be to use BrowserCompatHostnameVerifier instead of DefaultHostnameVerifier in https://github.com/bitfireAT/davdroid/blob/master/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java#L42 ?
-
Please see here: http://stackoverflow.com/questions/11708717/ip-address-as-hostname-cn-when-creating-a-certificate-https-hostname-wrong
“In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.” (RFC 2818)
I don’t know whether I should switch to a non-default hostname verifier, especially when it seems to be the “proper way” to use subjectAltName.
-
Have changed it again to BrowserCompatHostnameVerifier and added a comment why. However, I think it should go to the FAQ that subjectAltName should be used.
-
so the recommended solution for that problem is to specify the subjectAltName with the IP address?
-
so the recommended solution for that problem is to specify the subjectAltName with the IP address?
Yes
-
I updated to version 0.6.10.1 and now it works again without recreating the certificate.
Thank you.For further issues I will recreate the certificate with the IP address within the subjectAltName in the next days.
-
Great to hear!
-
I had this exact same problem after upgrading from 0.6.8 to 0.6.10 (self-signed certificate with IP address only). The sync problem appears to be resolved with 0.6.10.1 (still using original certificate without subjectAltName). Thank you rfc2822 for all your work on DAVdroid.
