SNI doesn't work for Android <4.2 (Valid certificate shows "Untrusted Certificate")



  • Hello,
    I have recently change my self-signed certificate for a startSSL certificate on my webserver (owncloud on https://cloud.mageti.fr).
    My configuration seems good : https://www.sslshopper.com/ssl-checker.html#hostname=cloud.mageti.fr https://www.ssllabs.com/ssltest/analyze.html?d=cloud.mageti.fr&hideResults=on&latest
    But Davdroid shows me the "untrusted certificate in certificate path" error.
    When I try to import the certificate with CAdroid, it says "the certificate chain is already trusted. You don't need to import a certificate".
    Configuration : Android 4.1.2, Davdroid 0.7.3, CAdroid 1.0.2 (both latest from f-droid)
    Do I miss something ?


  • developer

    Do you use a HTTP proxy? SNI?


  • developer

    I don't get an "untrusted certificate in certificate path" error here. Can you provide a test account and detailed instructions on how to reproduce the error?

    Maybe there's a redirection to another (untrusted) host in the CalDAV URLs?


  • developer

    Ok found the problem. We have used HttpClient 4.3.5.1 instead of our own patched 4.3.5.2-DAVDROID1 in DAVdroid 0.7.3. It supports SNI only for Android 4.2+. So please use DAVdroid 0.7.2 or upgrade to Android 4.2+.



  • Whoua ! you are so fast for finding the problem !
    Downgrading to Davdroid 0.7.2 corrected it.
    Problem solved, thank you so much !
    Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?


  • developer

    Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?

    Next versions will correct that, but I have to find out how to use packaged source JARs with gradle. For DAVdroid < 0.7.3, the HttpClient was packaged by us as pre-compiled .jar, so not all components of DAVdroid were 100 % open-source for the F-droid build. However, I want it to be 100 % open source, so I'll have to make a source package of the latest HttpClient 4.3.5 branch which contains the fix. Will take some time…

    But good to hear that it now works for you :)



  • Cool. I'll just wait before upgrading, so.
    You provide so great work. Thank you so much for this incredible app :-)



  • Hi there!
    Unfortunately, 0.7.4 does not resolve this issue for me.
    DAVdroid still shows me the "untrusted certificate in certificate path" error (for both the domain mentioned by @Mageti above as well my own, also using a StartSSL-certificate with SNI).
    CAdroid shows already trusted certificate chain; android's built-in browser opens and displays web page.

    Configuration: Android 4.1.2, DAVdroid 0.7.4, CAdroid 1.0.2 (both from Google Play Store)

    Anything else you might need to know? Could provide dummy account if need be...


  • developer

    @akki42 Unfortunately, I don't have an Android 4.1 device. Does DAVdroid 0.7.2 work for you?
    @Mageti Does 0.7.4 fix the issue for you?



  • @rfc2822 DAVdroid 0.7.2 did indeed work (until "auto-updated" by Google Play Store to 0.7.3 two days ago).

    [edit: Also, versions 0.7.3 and 0.7.4 work fine on Android 4.2.2 and 4.4 devices with same settings.]


  • developer

    I don't understand why the checked out httpclient-client code contained the old >= 4.2 instead of >= 2.3 …

    Re-opening, writing bug fix for bug fix. Hoping that 0.7.5 will work … embarassing.



  • @rfc2822 0.7.5 works fine for me; so: many thanks for your swift support for an excellent app!


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.