On Sun, Mar 9, 2014 at 4:50 AM, AssemblyRequired <[email protected]>wrote:
> Ok, we have installed a certificate from GeoTrust (2nd largest issuing > authority) on a web site to give https pages and it worked fine on PCs, > iPhones, iPads, Windows Phone. However it failed on several Andriod devices > "problem with site certificate: not trusted". The problem was the an > intermediate certificate was required. Bit of Googling and a free download > of the intermediate certificate and the problem was initially solved. > Some systems and browsers will automatically learn about new intermediate CAs as they see them included in server responses and can verify that the chain up to a known root. However, if you taken an out of the box system and point it at a server without the intermediate CA, they will fail to validate the server certificate as well. Android 3.0+ will do this in a limited way, remembering intermediate CAs discovered during the lifetime of a process (such as a browser or app) but will not persist this between app execution. This is to support certain website tricks (see below) but supporting this is not part of any standard that I'm aware of. > However the system we are using has load balancers which have space for > only one certificate. > that doesn't sound right to me. if so, can you given manufacture and model information. yes some sites, even major ones, do tricks of leaving out intermediate CAs on some servers if they are sure that the client would have seen the intermediate CA on a different path first. for example, leaving the intermediate CA off servers for javascript or image resources, but still including on the servers that serve the HTML. but they guarantee the process will have seen the intermediate CA from at least one server before loading content from the intermediate-free servers. If I browser was to visit an image server directly, they could see an untrusted site error. There is a financial penalty (and so scalability issues etc). > I don't see any scalability issues with including a CA, though it does make the handshake larger. > What ssl issuing authorities are supported by Android without intermediate > certificates please? > I would assume none. I think every well managed CA keeps the root CA private key offline in bank level plus security and only uses it for the rare occasions of creating the intermediates they use to issue intermediate CAs. so since no sane CA would issue server certs directly from their root CA and since Android does not include any intermediate CAs, you aren't going to find that using a different CA solves your problem. Ie what certs does andriod actually trust? > Current root CAs are at: https://android.googlesource.com/platform/libcore/+/a7752f4d22097346dd7849b92b9f36d0a0a7a8f3/luni/src/main/files/cacerts/ is your server being accessed via a browser or an app? If you are using an app, you could configure your own X509TrustManager (example here http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html) that could be setup to trust your intermediate CA. -bri > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
