SNI doesn't work for Android <4.2 (Valid certificate shows "Untrusted Certificate")

  • Hello,
    I have recently change my self-signed certificate for a startSSL certificate on my webserver (owncloud on
    My configuration seems good :
    But Davdroid shows me the “untrusted certificate in certificate path” error.
    When I try to import the certificate with CAdroid, it says “the certificate chain is already trusted. You don’t need to import a certificate”.
    Configuration : Android 4.1.2, Davdroid 0.7.3, CAdroid 1.0.2 (both latest from f-droid)
    Do I miss something ?

  • developer

    Do you use a HTTP proxy? SNI?

  • developer

    I don’t get an “untrusted certificate in certificate path” error here. Can you provide a test account and detailed instructions on how to reproduce the error?

    Maybe there’s a redirection to another (untrusted) host in the CalDAV URLs?

  • developer

    Ok found the problem. We have used HttpClient instead of our own patched in DAVdroid 0.7.3. It supports SNI only for Android 4.2+. So please use DAVdroid 0.7.2 or upgrade to Android 4.2+.

  • Whoua ! you are so fast for finding the problem !
    Downgrading to Davdroid 0.7.2 corrected it.
    Problem solved, thank you so much !
    Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?

  • developer

    Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?

    Next versions will correct that, but I have to find out how to use packaged source JARs with gradle. For DAVdroid < 0.7.3, the HttpClient was packaged by us as pre-compiled .jar, so not all components of DAVdroid were 100 % open-source for the F-droid build. However, I want it to be 100 % open source, so I’ll have to make a source package of the latest HttpClient 4.3.5 branch which contains the fix. Will take some time…

    But good to hear that it now works for you 🙂

  • Cool. I’ll just wait before upgrading, so.
    You provide so great work. Thank you so much for this incredible app 🙂

  • Hi there!
    Unfortunately, 0.7.4 does not resolve this issue for me.
    DAVdroid still shows me the “untrusted certificate in certificate path” error (for both the domain mentioned by @Mageti above as well my own, also using a StartSSL-certificate with SNI).
    CAdroid shows already trusted certificate chain; android’s built-in browser opens and displays web page.

    Configuration: Android 4.1.2, DAVdroid 0.7.4, CAdroid 1.0.2 (both from Google Play Store)

    Anything else you might need to know? Could provide dummy account if need be…

  • developer

    @akki42 Unfortunately, I don’t have an Android 4.1 device. Does DAVdroid 0.7.2 work for you?
    @Mageti Does 0.7.4 fix the issue for you?

  • @rfc2822 DAVdroid 0.7.2 did indeed work (until “auto-updated” by Google Play Store to 0.7.3 two days ago).

    [edit: Also, versions 0.7.3 and 0.7.4 work fine on Android 4.2.2 and 4.4 devices with same settings.]

  • developer

    I don’t understand why the checked out httpclient-client code contained the old >= 4.2 instead of >= 2.3 …

    Re-opening, writing bug fix for bug fix. Hoping that 0.7.5 will work … embarassing.

  • @rfc2822 0.7.5 works fine for me; so: many thanks for your swift support for an excellent app!

Similar topics