SNI doesn't work for Android <4.2 (Valid certificate shows "Untrusted Certificate")

AutoImport-Mageti

Hello,
I have recently change my self-signed certificate for a startSSL certificate on my webserver (owncloud on https://cloud.mageti.fr).
My configuration seems good : https://www.sslshopper.com/ssl-checker.html#hostname=cloud.mageti.fr https://www.ssllabs.com/ssltest/analyze.html?d=cloud.mageti.fr&hideResults=on&latest
But Davdroid shows me the “untrusted certificate in certificate path” error.
When I try to import the certificate with CAdroid, it says “the certificate chain is already trusted. You don’t need to import a certificate”.
Configuration : Android 4.1.2, Davdroid 0.7.3, CAdroid 1.0.2 (both latest from f-droid)
Do I miss something ?

rfc2822

Do you use a HTTP proxy? SNI?

rfc2822

I don’t get an “untrusted certificate in certificate path” error here. Can you provide a test account and detailed instructions on how to reproduce the error?

Maybe there’s a redirection to another (untrusted) host in the CalDAV URLs?

rfc2822

Ok found the problem. We have used HttpClient 4.3.5.1 instead of our own patched 4.3.5.2-DAVDROID1 in DAVdroid 0.7.3. It supports SNI only for Android 4.2+. So please use DAVdroid 0.7.2 or upgrade to Android 4.2+.

AutoImport-Mageti

Whoua ! you are so fast for finding the problem !
Downgrading to Davdroid 0.7.2 corrected it.
Problem solved, thank you so much !
Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?

rfc2822

Will I have to use only 0.7.2 in the future ? or next version of davdroid would correct that regression ?

Next versions will correct that, but I have to find out how to use packaged source JARs with gradle. For DAVdroid < 0.7.3, the HttpClient was packaged by us as pre-compiled .jar, so not all components of DAVdroid were 100 % open-source for the F-droid build. However, I want it to be 100 % open source, so I’ll have to make a source package of the latest HttpClient 4.3.5 branch which contains the fix. Will take some time…

But good to hear that it now works for you

AutoImport-Mageti

Cool. I’ll just wait before upgrading, so.
You provide so great work. Thank you so much for this incredible app

AutoImport-akki42

Hi there!
Unfortunately, 0.7.4 does not resolve this issue for me.
DAVdroid still shows me the “untrusted certificate in certificate path” error (for both the domain mentioned by @Mageti above as well my own, also using a StartSSL-certificate with SNI).
CAdroid shows already trusted certificate chain; android’s built-in browser opens and displays web page.

Configuration: Android 4.1.2, DAVdroid 0.7.4, CAdroid 1.0.2 (both from Google Play Store)

Anything else you might need to know? Could provide dummy account if need be…

rfc2822

@akki42 Unfortunately, I don’t have an Android 4.1 device. Does DAVdroid 0.7.2 work for you?
@Mageti Does 0.7.4 fix the issue for you?

AutoImport-akki42

@rfc2822 DAVdroid 0.7.2 did indeed work (until “auto-updated” by Google Play Store to 0.7.3 two days ago).

[edit: Also, versions 0.7.3 and 0.7.4 work fine on Android 4.2.2 and 4.4 devices with same settings.]

rfc2822

I don’t understand why the checked out httpclient-client code contained the old >= 4.2 instead of >= 2.3 …

Re-opening, writing bug fix for bug fix. Hoping that 0.7.5 will work … embarassing.

AutoImport-akki42

@rfc2822 0.7.5 works fine for me; so: many thanks for your swift support for an excellent app!