Author Topic: Problem with server certificate in 1.17.0-1318  (Read 6199 times)

twin

  • Newbie
  • *
  • Posts: 7
Problem with server certificate in 1.17.0-1318
« on: October 25, 2018, 10:03:48 pm »
Since the upgrade to 1.17.0-1318 I cannot connect to my IMAP server with a self-signed certificate any more. I get the error message 'Error checking mail: Invalid security (SSL) certificate: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found', even though the CA certificate is installed in Android. It still works fine when using an older AquaMail version.
Was there any change regarding certificates in 1.17.0-1318?

magus21

  • Newbie
  • *
  • Posts: 14
Re: Problem with server certificate in 1.17.0-1318
« Reply #1 on: October 25, 2018, 10:30:33 pm »
Try this and see if it works long press your email account and go into account setup select manual and under your mail server setting for your SSL select accept any then go to the next setting under your SMTP server for your TTLS setting select accept any save your settings and see if it doesn't work hope this helps.

twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #2 on: October 25, 2018, 10:45:20 pm »
Thanks, but this does not work either. Besides, in AquaMail pre-1.17.0-1318 the certificate is accepted even under 'strict check', so I think the certificate is ok.

snubslump

  • Newbie
  • *
  • Posts: 1
Re: Problem with server certificate in 1.17.0-1318
« Reply #3 on: October 26, 2018, 07:38:59 pm »
Me too.  Getting this error after latest update.  The certificate presented by the server is signed by a User CA loaded on the phone and was working fine with a strict check previously.

The server name used in the configuration is a listed SAN, but not the CN in the certificate, which may be relevant?


twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #4 on: October 26, 2018, 08:10:02 pm »

The server name used in the configuration is a listed SAN, but not the CN in the certificate, which may be relevant?

In my case, the server name is in the CN field

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Problem with server certificate in 1.17.0-1318
« Reply #5 on: October 28, 2018, 02:10:00 pm »
"SSL accept any" should work, no reason why it should not.

If it doesn't - I'll need to know server name (so I can try connecting) and Android version (just in case).
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #6 on: October 28, 2018, 02:36:55 pm »
Sorry - I checked again and "accept any" does indeed work.

But that's not something I would like to use, as it defeats the purpose of using SSL in the first place. So I'm still wondering if something changed in 1.17.0-1318 regarding SSL or user-installed certificates.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Problem with server certificate in 1.17.0-1318
« Reply #7 on: October 28, 2018, 02:49:19 pm »
Quote
But that's not something I would like to use, as it defeats the purpose of using SSL in the first place. So I'm still wondering if something changed in 1.17.0-1318 regarding SSL or user-installed certificates.

Well (1) - the app has a feature (in settings / network) to track certificate changes if you're worried about MITM.

Well (2) - using a certificate that is trusted by the OS (without having to rely on installing "user" CA certs) would seem like a good idea in any case.

Well (3) - we did tweak ciphers to stop the app from sending "TLS_FALLBACK_SCSV" which was a bug and prevented connecting to TLS 1.3 capable servers - when "SSL hardening" setting was enabled:

https://www.aqua-mail.com/forum/index.php?topic=6824.msg41369#msg41369

In terms of *certificate* trust - nothing's changed to my knowledge.

We still use these three lines of code to create sockets (as ever before):

Quote
   SSLContext sslContext = SSLContext.getInstance("TLS");
   sslContext.init(km, null, null);
   return sslContext.getSocketFactory();

Can you try turning off app settings -> network -> SSL hardening? To see if it would make "SSL strict" work again?

When SSL hardening is OFF - we enable some additional ciphers for compatibility but overall "mess with" SSL stuff much less.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Problem with server certificate in 1.17.0-1318
« Reply #8 on: October 28, 2018, 03:12:29 pm »
Oh just remembered:

In 1.17 when "SSL hardening" is enabled - I also added code to remove "_NULL_" ciphers (no encryption).

Maybe this is it - but then, if it is, previously you must have had no security:

https://developer.android.com/reference/javax/net/ssl/SSLSocket

Search the page for "_null_" - you'll see ciphers like

TLS_ECDH_RSA_WITH_NULL_SHA

https://ciphersuite.info/cs/TLS_ECDH_RSA_WITH_NULL_SHA
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #9 on: October 28, 2018, 03:22:21 pm »
Thanks - I agree that detecting certificate changes would make `accept any' acceptable.

SSL hardening has been OFF all the time.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Problem with server certificate in 1.17.0-1318
« Reply #10 on: October 28, 2018, 03:24:19 pm »
Re: SSL hardening has been OFF all the time.

In that case - really can't think of anything.

When "ssl hardening" is off + Android 5.0 or newer -> we only enable some additional ciphers for compatibility and that's it.
« Last Edit: October 28, 2018, 03:55:51 pm by Kostya Vasilyev, Aqua Mail »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #11 on: October 30, 2018, 12:22:05 am »
I've googled around a bit and found some information at https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html [nofollow] :

Quote
Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

At the same time I see that the targetSdkVersion of AquaMail jumped from 23 to 24 in 1.17.0-1318. So that could explain the behavior that I observe.

Would it be possible to explicitly allow user-added CAs in a future version of AquaMail?

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Problem with server certificate in 1.17.0-1318
« Reply #12 on: November 01, 2018, 10:37:36 pm »
Yes I believe this is it.

Please try this version:

https://www.aqua-mail.com/staging/AquaMail-market-1.17.0-1331-stable-7f637bcf78c3.apk

I added a "networkconfig" which re-enables trust for user-installed CA's.

It should work with "user installed CA" + "SSL strict" even on 7.0 +.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

twin

  • Newbie
  • *
  • Posts: 7
Re: Problem with server certificate in 1.17.0-1318
« Reply #13 on: November 01, 2018, 11:03:39 pm »
Yes, it accepts the certificate again even with "strict check" enabled.

Thanks a lot for the prompt response!