Author Topic: where are certificates stored?  (Read 4558 times)

wjcarpenter

  • Newbie
  • *
  • Posts: 7
where are certificates stored?
« on: November 24, 2016, 09:01:42 am »
I was reconfiguring my server with a new TLS certificate (letsencrypt.org, yay!) and I got a pop-up from AquaMail about it. It showed me the previous certificate and the new one, and it asked me to confirm that I trusted the new one.

Pretty cool.

But what if I confirmed a bogus certificate by mistake? Is there a way to view or manage the accepted certificate?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: where are certificates stored?
« Reply #1 on: November 25, 2016, 09:55:44 pm »
Re: But what if I confirmed a bogus certificate by mistake? Is there a way to view or manage the accepted certificate?

Then the app will trust it. It's your decision.

If deciding on trust could be completely automatic and fully reliable, then the app wouldn't have to ask a human.

Re: where stored, how to reset

Stored somewhere in the app's private data directory, not accessible without root.

To reset, you can long press the account -> account setup -> go through with it -> will clear any previously "accepted" ones, keeping only the current cert.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

wjcarpenter

  • Newbie
  • *
  • Posts: 7
Re: where are certificates stored?
« Reply #2 on: November 26, 2016, 01:13:00 am »
Thanks for the info.

I had tried that "account setup" before, but a funny thing happened ... my on-screen keyboard hid the SSL certificates button, so I never saw it. My bad!

thanks again

wjcarpenter

  • Newbie
  • *
  • Posts: 7
Re: where are certificates stored?
« Reply #3 on: November 27, 2016, 11:03:45 pm »
Quote
If deciding on trust could be completely automatic and fully reliable, then the app wouldn't have to ask a human.

I don't know much about Android development, but why can't it be completely automated? Forgive my lack of knowledge in this area. I'm sure there must be a good reason. I'm curious what it is.

I'm using a certificate that chains up to a well-known CA (mine -> Let's Encrypt -> DST Root CA). The certificate bundle that my server provides is the complete chain. It's automatically trusted by everything else I've tried, both on my phone and on my laptop. Doesn't Android use some central repository of trusted CAs, and maybe even provide some APIs for simplifying certificate validation?

(One minor complication is that my certificate contains the name of my IMAP and SMTP servers in the extension Server Alternative Name field, so the Subject CN does not match the server name. That's pretty common these days.)

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: where are certificates stored?
« Reply #4 on: November 28, 2016, 01:01:33 am »
AquaMail does use CA chain trust checks, of course.

And there is a way to turn this off for the app to accept self-signed certs.

The problem solved by "SSL cert change tracking" is:

The "chain of trust" provided by CA's can be leaky, and a malicious (or suspicious) cert may have a perfectly valid chain of CA's.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

wjcarpenter

  • Newbie
  • *
  • Posts: 7
Re: where are certificates stored?
« Reply #5 on: November 28, 2016, 04:08:06 am »
Quote
The "chain of trust" provided by CA's can be leaky, and a malicious (or suspicious) cert may have a perfectly valid chain of CA's.

Leaky? Do you mean because the certificate or one of the intermediary certificates might have been revoked? If not, what do you mean?

If everything validates up to a trusted root, then revocation should be all that matters, right? I know there is overhead in checking revocations. If that's the issue, then hypothetically would OCSP stapling help? (I use exim for SMTP, and it supports OCSP stapling. As far as I can tell, my IMAP server, dovecot, does not, though it's on a list as a possible future item.)

The reason I am following up on this is because of a user experience question. I'm pretty familiar with certificates and handshakes and blah, blah, blah, but lots of the people I recommend AquaMail to are just "regular folks" who mildly panic if they see something like the AquaMail "new certificate" message. I'd rather they only see such messages when it is actually likely to mean something they should pay attention to. Yesterday, I changed my certificate again, but it was signed by the same authority and had the same chain to a trusted CA. I had already said I trusted the old certificate, and I was a little surprised to be asked again.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: where are certificates stored?
« Reply #6 on: November 29, 2016, 09:45:15 pm »
Quote
Leaky? Do you mean because the certificate or one of the intermediary certificates might have been revoked? If not, what do you mean?

There have been reports of CA centers losing their "signing kits" and/or not properly validating cert signing requests.

So the case is -- someone (a malicious third party) being able to have a properly signed / validating cert for, say, imap.gmail.com or maybe some lesser mail service.

With CA validation, this cert would be accepted by the "CA chain of trust" logic, and an MITM would succeed.

Re: "regular folks" who mildly panic if they see something like the AquaMail "new certificate" message

The setting for SSL cert tracking is really for the security minded, knowledgeable users -- and therefore, it is off by default.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

wjcarpenter

  • Newbie
  • *
  • Posts: 7
Re: where are certificates stored?
« Reply #7 on: November 29, 2016, 09:51:34 pm »
Quote
The setting for SSL cert tracking is really for the security minded, knowledgeable users -- and therefore, it is off by default.

Oops! I was just going to ask for such a setting to make it optional. I found the checkbox for it, and I had it turned on. I don't remember doing that, but I probably did a long time back.

That completely satisfies my concern about this. Thanks!