Skip to content

Android app can no longer connect to secure server trusted by user-added CA #3312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
noemartinez opened this issue Jan 25, 2019 · 1 comment · Fixed by #5493
Closed

Android app can no longer connect to secure server trusted by user-added CA #3312

noemartinez opened this issue Jan 25, 2019 · 1 comment · Fixed by #5493
Labels
a-Android a-TLS TLS/SSL certificates and config; "Cannot connect to server" errors

Comments

@noemartinez
Copy link

We have a Zulip server set up with a secure SSL certificate, but the certificate is trusted only by an internal Certificate Authority of ours so far, not yet a public CA.

In previous versions of the Android app, I was able to connect to the server over from the Android app as long as my phone was connected to our VPN and I had added our internal CA to my Android device.

This no longer works in the latest versions of the app. Zulip now says "Cannot connect to server".

I'm fairly confident the fix is fairly simple: add a network security configuration file to the app, and set it up to trust user-added CAs for secure connections, but I'm not sure if there's any philosophical objections to re-enabling that. Hopefully not! It has been a handy workflow while we're internally testing Zulip before we are able to expose our server publicly.

Thanks!
borisyankov added a commit to borisyankov/zulip-mobile that referenced this issue Jan 25, 2019
@borisyankov
android: Trust user-added CAs for all secure connections
4aa8668 
Fixes zulip#3312

Apps that target API Level 24 and above no longer trust user or
admin-added CAs for secure connections, by default.

This config allows the app to trust user-added certificate
authorities for all secure connections

More details here:
 * [Changes to Trusted Certificate Authorities in Android Nougat](https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html)
 * [Network security configuration](https://developer.android.com/training/articles/security-config)
@borisyankov borisyankov mentioned this issue Jan 25, 2019
Closed
@gnprice gnprice added the a-TLS TLS/SSL certificates and config; "Cannot connect to server" errors label Aug 28, 2019
@gnprice gnprice mentioned this issue Aug 28, 2019
Closed
@gnprice
Copy link
Member

gnprice commented Aug 28, 2019

A later request for this appears at #3425.

The reason this changed in a new version of the Zulip app was that the default had changed in Android. This was one of those changes which Android gives apps some choice in the timing of, through the targetSdkVersion mechanism for saying what Android version's defaults to use.

There was a PR at #3314, now stale. That version allowed user-added CAs globally. My feedback there was:

Hmm. I don't love this solution of reverting to the old defaults. The problem of securing TLS and the CA system is complex and has a number of smart people working on it, and in general I'd much rather take the solutions shipped by major browsers and other expert security teams like those at Google, rather than second-guess them.

For the request in #3312 [that's this issue!], I think my ideal solution would be to make it a user opt-in: a switch in settings somewhere. Unfortunately there doesn't seem to be a good way to control this from code -- if you need to control it from code, it looks like you're stuck with the notorious TrustManager API, and I don't even see how to express in that API the equivalent of this configuration. (Surely it's there somehow? But it's going to be complicated to pin down.)

A solution that I think I'd be OK with would be to set this configuration except for domains that we know should be identified by certs from global trusted CAs. In particular: zulipchat.com and its subdomains, and chat.zulip.org. That should mitigate the risk substantially. In the blog post [linked in the OP of this issue], under "Trusting user-added CAs for all domains except some" there's an example of how to do this.

I'd be happy to take a PR for the solution described in that last paragraph.

shrizza added a commit to shrizza/zulip-mobile that referenced this issue Sep 22, 2022
@shrizza
Trust user-added CAs (Issue zulip#3312)
6bd8b99
@shrizza shrizza mentioned this issue Sep 22, 2022
Merged
shrizza added a commit to shrizza/zulip-mobile that referenced this issue Oct 30, 2022
@shrizza
mobile: Add support for trusting user-supplied CAs on Android
b9a3f83 
Fixes: zulip#3312
gnprice pushed a commit to shrizza/zulip-mobile that referenced this issue Nov 3, 2022
@shrizza @gnprice
android: Trust user-supplied CAs, except on known servers
dc4b8ed 
[greg: expanded explanatory comments]

Fixes: zulip#3312
@gnprice gnprice closed this as completed in 85c3a71 Nov 3, 2022
@gnprice gnprice mentioned this issue Dec 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a-Android a-TLS TLS/SSL certificates and config; "Cannot connect to server" errors
Projects
None yet
Milestone
No milestone
2 participants
@gnprice @noemartinez