Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android 6.0 ssl issue #23

Open
tdecker91 opened this issue Sep 28, 2016 · 5 comments
Open

Android 6.0 ssl issue #23

tdecker91 opened this issue Sep 28, 2016 · 5 comments

Comments

@tdecker91
Copy link

tdecker91 commented Sep 28, 2016
edited

Android 6.0 does not like the expiration of the cert generated when it is 100 years in the future. I see this was changed from this issue #6 from max time to 100 years.

NOT_AFTER should be configurable to avoid these kinds of issues.

Android 5.1 working
android 5 1

Android 6.0 not working with the same certificate
android 6 0
@ganskef
Copy link
Owner

ganskef commented Sep 28, 2016

Hi Tyson, thank you very much for this hint! I've never seen this problem within Android 6.0.1 or in emulator since I'm using the Certificate Authority in Firefox only. I've never tried it with the system certificates.

@ganskef
Copy link
Owner

ganskef commented Sep 28, 2016

Hmm, it seems to affect the root certificate only. Server (fake, dynamic, mitm) certificates are working in all my environments with no issue. They're using the same max value...

The best way to configure NOT_AFTER is in the Authority class. Two separate values? Alternative we could change the defaults lets say a day for a server certificate and 10 years for a root certificate. What do you think?

@tdecker91
Copy link
Author

Hi Frank,

It seems to affect the server certificate here in CertificateHelper.java
private static final Date NOT_AFTER = new Date( System.currentTimeMillis() + 86400000L * 365 * 100);

A coworker of mine experimented with that date and found that if he set the cert to expire after less than two years it worked correctly in our environment. We have changes made that make the certificate more configurable, or load defaults if no configuration is passed in.

We will open a pull request when we are done with the changes and you can merge them in if they are to your liking.

Thanks for the quick response 👍

@ganskef
Copy link
Owner

ganskef commented Sep 29, 2016
edited

Info: I can't reproduce this behavior on Cyanogenmod, Android 6.0.1 MOB30Z, security patch level August 5, 2016. Importing the public key of the CA from xxx.pem into Security > Trusted credentials > USER and WLAN certificates works fine with my cell phone.
device-2016-09-29-144411

My application Mo Cuishle is based on LittleProxy-mitm and every certificate (root and connections) is expiring in hundred years. I know somebody using it with vanilla Google Android on a Nexus device. I'm confused, and would like to understand the issue, will try it on emulator...

@slava-kuksa-op
Copy link

I have opened the promised pull-request #24 which brings more configuration options for dynamic certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdecker91 @ganskef @slava-kuksa-op