Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java.security.cert.CertificateException: Untrusted Certificate! / use android trusted certificate authority store #951

Open
bug-ware opened this issue Dec 10, 2022 · 3 comments
Open

java.security.cert.CertificateException: Untrusted Certificate! / use android trusted certificate authority store #951

bug-ware opened this issue Dec 10, 2022 · 3 comments
Labels
bug

Comments

@bug-ware
Copy link

Description of the issue

Thank you very much for quickly dealing with #946. I backuped/imported https-key/cert that are issued by my CA and the ssl cert warning is gone when opening the web GUI using a usual browser. Perfect. The CA cert is installed as trusted CA in android.

However, the app is not anymore connecting to the syncthing process. Once syncthing is started, the state indicator stays yellow. The folders and devices are not correctly updated. One cannot open the internal web page view, since the field is grayed out.

Reproduction Steps

Backup export syncthing settings and replace https-key.pem and https-cert.pem with files issued by a CA that is systemwide trusted. (I kept a copy of the previous files). Re-Import the backup with those changes. Syncthing gets started but the status indicator stay yellow.
NB: undo the change by stopping syncthing. Restore previous key/cert. Start Syncthing-Fork. Immediately import the backup. If syncthing isn't starting, quit/kill the app and repeat.

Proposed actions

Either use systemwide ca cert to verify ca-issued cert of web gui. Or allow to config the ca-cert in the app gui. Or maybe, one could also take the ca-cert from https-cert.pem, if this includes the whole cert chain, i.e., also the ca-cert.

Version Information

  • App Version: 1.22.2.2
  • Syncthing Version: v1.22.2
  • Android Version: Android 10
  • Device manufacturer: Motorola
  • Device model: Moto g7 plus (XT1965-3)

App log

17:58:38W/PollWebGuiAvailableTask Unexpected error while polling web gui
17:58:38W/PollWebGuiAvailableTask com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
17:58:38W/PollWebGuiAvailableTask Caused by: javax.net.ssl.SSLHandshakeException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.HurlStack.executeRequest(HurlStack.java:91)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
17:58:38W/PollWebGuiAvailableTask  ... 3 more
17:58:38W/PollWebGuiAvailableTask Caused by: java.security.cert.CertificateException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.nutomic.syncthingandroid.http.SyncthingTrustManager.checkServerTrusted(SyncthingTrustManager.java:58)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:228)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:407)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
17:58:38W/PollWebGuiAvailableTask  ... 18 more
17:58:38W/PollWebGuiAvailableTask Caused by: java.security.SignatureException
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.OpenSSLX509Certificate.verifyOpenSSL(OpenSSLX509Certificate.java:385)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.OpenSSLX509Certificate.verify(OpenSSLX509Certificate.java:411)
17:58:38W/PollWebGuiAvailableTask  at com.nutomic.syncthingandroid.http.SyncthingTrustManager.checkServerTrusted(SyncthingTrustManager.java:54)
17:58:38W/PollWebGuiAvailableTask  ... 23 more
17:58:38W/SyncthingService Deferring shutdown until State.STARTING was left
17:58:38W/PollWebGuiAvailableTask Unexpected error while polling web gui
17:58:38W/PollWebGuiAvailableTask com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
17:58:38W/PollWebGuiAvailableTask Caused by: javax.net.ssl.SSLHandshakeException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
17:58:38W/PollWebGuiAvailableTask  at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.HurlStack.executeRequest(HurlStack.java:91)
17:58:38W/PollWebGuiAvailableTask  at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
17:58:38W/PollWebGuiAvailableTask  ... 3 more
17:58:38W/PollWebGuiAvailableTask Caused by: java.security.cert.CertificateException: Untrusted Certificate!
17:58:38W/PollWebGuiAvailableTask  at com.nutomic.syncthingandroid.http.SyncthingTrustManager.checkServerTrusted(SyncthingTrustManager.java:58)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:228)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:407)
17:58:38W/PollWebGuiAvailableTask  at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
...

Thank you!
@Catfriend1 Catfriend1 added the bug label Dec 16, 2022
@Catfriend1
Copy link
Owner

https://github.com/Catfriend1/syncthing-android/blob/main/app/src/main/java/com/nutomic/syncthingandroid/http/SyncthingTrustManager.java

@Catfriend1
Copy link
Owner

@bug-ware could you please provide a valid ca file to import into android and a valid https-cert for Syncthing to me for testing means?

@bug-ware
Copy link
Author

I have created a test-ca. You can find the public certificate here:
ca-test.zip

Since I don't know your hostname, I have signed a cert also valid for localhost and localhost ips:
private.zip
public.zip
I guess you will be fine using the *.pem files.

Please let me know, if you need more information or files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Catfriend1 @bug-ware