Detect self-signed SSL certs and allow their manual installation #66

Closed
avram opened this Issue Nov 15, 2011 · 8 comments

Comments

Projects
None yet
3 participants
@avram
Owner

avram commented Nov 15, 2011

Many people running their own WebDAV setups use self-signed SSL certificates. Android does not provide a way of installing such certificates system-level, so we'll need to add support for them in our application. We can probably do this with a try/catch for the WebDAV connection (which we need anyway for better error reporting), and a new certificate install apparatus. It appears that we can set up our own SSLContext and specify additional allowed certificates, which we'll likely want to do.

Issue summary: http://www.mcbsys.com/techblog/2010/12/android-certificates/
SSLContext: http://code.google.com/p/android/issues/detail?id=11231#c15

@avram

This comment has been minimized.

Show comment
Hide comment
@avram

avram Dec 12, 2011

Owner

This is fixed in Android 4.0 (ICS): http://code.google.com/p/android/issues/detail?id=11231#c107

But still would be nice to implement for Android 2.1/2.2+, since Android 4.0 won't be mainstream for at least 1-2 years.

Owner

avram commented Dec 12, 2011

This is fixed in Android 4.0 (ICS): http://code.google.com/p/android/issues/detail?id=11231#c107

But still would be nice to implement for Android 2.1/2.2+, since Android 4.0 won't be mainstream for at least 1-2 years.

@megatron-me-uk

This comment has been minimized.

Show comment
Hide comment
@megatron-me-uk

megatron-me-uk Mar 31, 2012

Contributor

I found the easiest way to deal with this problem is to provide a webpage that returns your certificate authority public certificate with a special header, android will install the certificate from the browser. This certainly works on 4.0 and 2.1. Perhaps asking for the certificate file and then pointing the browser to it or suggesting this within a help file?

Based on: http://www.realmb.com/droidCert/
In php:

-----BEGIN CERTIFICATE-----
...
LONG HASH
...
-----END CERTIFICATE-----

Contributor

megatron-me-uk commented Mar 31, 2012

I found the easiest way to deal with this problem is to provide a webpage that returns your certificate authority public certificate with a special header, android will install the certificate from the browser. This certainly works on 4.0 and 2.1. Perhaps asking for the certificate file and then pointing the browser to it or suggesting this within a help file?

Based on: http://www.realmb.com/droidCert/
In php:

-----BEGIN CERTIFICATE-----
...
LONG HASH
...
-----END CERTIFICATE-----

@avram

This comment has been minimized.

Show comment
Hide comment
@avram

avram Mar 31, 2012

Owner

So you've confirmed that the cert is available to Zandy for its WebDAV requests after you save it? My reading of the docs and comments online was that the browser's certificate store was separate from the one available to apps.

Owner

avram commented Mar 31, 2012

So you've confirmed that the cert is available to Zandy for its WebDAV requests after you save it? My reading of the docs and comments online was that the browser's certificate store was separate from the one available to apps.

@megatron-me-uk

This comment has been minimized.

Show comment
Hide comment
@megatron-me-uk

megatron-me-uk Mar 31, 2012

Contributor

I can confirm this works for zandy in 4.0 ics, have been using it
extensively. As for other versions, I have only tested that a certificate
will be added in an emulator, not that it will work on an actual device or
in other apps. I will test that soon and comment.
On Mar 31, 2012 9:39 PM, "Avram Lyon" <
reply@reply.github.com>
wrote:

So you've confirmed that the cert is available to Zandy for its WebDAV
requests after you save it? My reading of the docs and comments online was
that the browser's certificate store was separate from the one available to
apps.


Reply to this email directly or view it on GitHub:
ajlyon#66 (comment)

Contributor

megatron-me-uk commented Mar 31, 2012

I can confirm this works for zandy in 4.0 ics, have been using it
extensively. As for other versions, I have only tested that a certificate
will be added in an emulator, not that it will work on an actual device or
in other apps. I will test that soon and comment.
On Mar 31, 2012 9:39 PM, "Avram Lyon" <
reply@reply.github.com>
wrote:

So you've confirmed that the cert is available to Zandy for its WebDAV
requests after you save it? My reading of the docs and comments online was
that the browser's certificate store was separate from the one available to
apps.


Reply to this email directly or view it on GitHub:
ajlyon#66 (comment)

@avram

This comment has been minimized.

Show comment
Hide comment
@avram

avram Mar 31, 2012

Owner

That's my concern-- ICS 4.0 has a central cert store which was not there in
previous versions.

Owner

avram commented Mar 31, 2012

That's my concern-- ICS 4.0 has a central cert store which was not there in
previous versions.

@megatron-me-uk

This comment has been minimized.

Show comment
Hide comment
@megatron-me-uk

megatron-me-uk Apr 1, 2012

Contributor

ok in 2.1 it does not seem to work... the odd thing is that there are no relevant errors in the logs (searching for webdav, cert, domain, https, etc.). Could you point me to the relevant code so I can add some Log debug calls?

Contributor

megatron-me-uk commented Apr 1, 2012

ok in 2.1 it does not seem to work... the odd thing is that there are no relevant errors in the logs (searching for webdav, cert, domain, https, etc.). Could you point me to the relevant code so I can add some Log debug calls?

@asad00

This comment has been minimized.

Show comment
Hide comment
@asad00

asad00 Feb 19, 2013

hi, could you please help me that how do I connect zotero database with android app.

asad00 commented Feb 19, 2013

hi, could you please help me that how do I connect zotero database with android app.

@avram

This comment has been minimized.

Show comment
Hide comment
@avram

avram Jan 18, 2014

Owner

This is working in 4.0+, which is now mainstream enough for me to be OK with calling that a sufficient solution.

Owner

avram commented Jan 18, 2014

This is working in 4.0+, which is now mainstream enough for me to be OK with calling that a sufficient solution.

@avram avram closed this Jan 18, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment