Certificate Issues

[Weygand]

Hello Everyone,

I'm having a bit of an issue with my Incredible. It works fine for about 8 hours then I begin to get certificate errors in the notification bar. It gives me untrusted certificate warnings (these are legitimate certificates from a legitimate company); I can still get it to sync when I tell it to continue, but I would like to know what is causing this error when I haven't seen it on my other Android devices.

Any other Exchange users experiencing this?

Regards,

 

[R1Lover]

I haven't had an issue.... have you tried different config settings?

 

[Weygand]

I haven't had an issue.... have you tried different config settings?

Thanks for the reply. Yes, I have. I also have had myself put into a test group on one our development exchange groups with relaxed standards which has definitely translated over because I'm not forced to adhere to certain policies our user base would have to observe. I've also enabled the use of trusted certificates in Settings/Security.

I have tried the Android Certificate Installer/ but had no luck.:greendroid::greendroid::icon_eek:

It must be something I am messing up because more people would be posting about it.

 

[R1Lover]

what version of exchange are you running? are there any other android phones connecting without issues?

 

[Weygand]

Problem limited to Native Exchange Support

what version of exchange are you running? are there any other android phones connecting without issues?

We're running Exchange 2003 and I have connected my Droid native client and TD. I don't see the issue on my Droid or any other Android devices, but the Droid is the only other one I can get the native client to sync with Exchange. My Devour and Backflip use the Moto Blur overlay which handles the security requirement without issue and obviously Touchdown doesn't have these issues

 

[nightstalker6118]

It's not just you. My company identified this same problem in early testing of the Incredible. I think it is an HTC issue because our IT department keeps telling us that Verizon is working with HTC to fix the issue. We're also on 2003. They won't allow the phone on our corporate plan until this gets fixed.

 

[DoctorDeDroid]

I don't know what's going on here but I started getting warnings about untrusted certificates (on my D1) a few days ago... and these are on sites which I repeatedly visited over the last several months. Sites like slashdot.org (which complains a certificate issued to Google, by Thawte SGC CA is not trusted) or verizon which complains that a different cert (espanol.verizon.com issued by Cybertrust Public SureServer SV CA) isn't trusted (this one was issued on December 13, 2011 and I KNOW I visited the site a few weeks ago and, sure as s**t did not get this warning!) It's like something smoked my browser's trust store.... I can't find where this damn phone manages trusted certs in the first place so I'm a bit perplexed. Does anybody know what's going on here?

 

[mamawm]

I started getting that message on my bionic yesterday but only on THIS site, and I feel pretty sure droidforums.net can be trusted.

Sent from my A100 using DroidForums

 

[DoctorDeDroid]

As if things couldn't get more bizzare....

As a rooted D1 user, and seeing as how I have a basic idea on how Certifying Authorities and trust stores work (I've been successful at my company in implementing SSL, setting up an in house CA to sign our server certs, chains, and other such nonsense) I took it upon myself to update /etc/security/cacerts.bak myself. I found that I needed the bouncycastle (I kid you not) crypto provider to read and/or change the keystore (thanks so much for not using std. jks). I then found the offending (or rather *missing*) CA Certs, starting with the one from Thawte (now Verisign). I went straight to the Verisign website as I sure as hell wasn't going to trust some odd download. I unpacked the zipped up FULL CA list and stuffed the appropriate item into the CA store. Swapped out the store (after copy and backup of the original), rebooted the phone just for the halibut, and pointed my browser back to slashdot.org and voila, NO warning. Gives one a bit of confidence doesn't it? So I repeated the process for the stupid one VZW's website was hollerin' about. This was a touch more complex because the signing cert was part of a chain so I needed BOTH items in the store. Added them, and again success! THEN I discovered that my VZW DVR manager now REFUSED TO CONNECT. After a temporary red herring (I added a network printer to my network and needed to kick over the wireless router, and also found that for a short time I could not use VZW website to manage my dvr) everything seemed to be back to normal EXCEPT my droid's DVR manager app. So on a lark, I switched the bks files back to the original that was on my droid. The result was:

1) my dvr manager app could now connect and all was well...
2) the warnings I WAS getting in my browser DISAPPEARED completely.

WTF is going on here??? This is patently stupid. I not so crazy to think I could not have done something wrong... but all I did was ADD a couple of CA certs to the keystore... how on earth could this have broken DVR manager's connectivity since whatever certs it needed are STILL in the store? I sure as heck didn't take one out! And since I WAS getting these messages on the *original* keystore, *why did the warnings go away when I put the original back*? (unless by some miracle slashdot/google/vzw changed things back on their servers!)