self signed certs

asked 2013-12-25 20:13:15 +0300

slaveriq
6028 ●33 ●43 ●39

http://plassmann.ch/

updated 2014-12-10 14:43:57 +0300

rainisto

6348 ●69 ●98 ●112

moderator

Would be nice to be able to add the Ca root certs or trust a selfsigned cert. This should be a global trust for eg wifi/browser/email client and so on.

Comments

5

Update for email app is needed too: at the moment all certs are silently accepted. It means, that SSL security is nonexistent.

ortylp ( 2013-12-25 22:02:02 +0300 )

11

Also a user should be able to disable any of the pre-installed CAs on the system.

Ilari Stenroth ( 2013-12-26 01:26:42 +0300 )

1

This is a must, but for usability there must be a way to discover (using the browser?) which certs you actually need, and optionally reenable the CA or the single cert for the website/service you use.

ortylp ( 2013-12-26 13:48:46 +0300 )

what exactly is the physical location of the CA certs?

AL13N ( 2013-12-26 21:53:36 +0300 )

/etc/pki/tls/certs

ortylp ( 2013-12-26 23:22:52 +0300 )

see more comments

27

answered 2014-01-16 10:44:37 +0300

Karri Huhtanen

1928 ●19 ●23 ●31

https://www.linkedin.com/...

I think this should be solved by having a proper certificate management in Jolla with UI and all as well as having a ways to securely accept self-signed certificates when they may be needed.

The following is a copy of a question/feature-request I made before, but which was closed as duplicate of this question. Accepting self signed certificates is still open so if you would want to be able to accept/deny certificates in any app (email, XMPP, web browser, etc.) please go and vote for it.

A certificate manager (with UI) to install, modify and delete X.509 certificates on Jolla device is needed.

This certificate manager should be able to handle installing of the both CA and client certificates from files, email attachments, configuration packages or directly from web browser downloads. Mime types could be used for sending certificates always to certificate manager app.

It should also have the capabilities to edit trust settings for all certificates like for example that certain certificates could only verify email servers, web servers, wifi authentication servers or persons and not by default all of them.

Managing certificates should support mass operations so that for example revoking trust from several certificates could be done without having to go through all certificates one-by-one.

No certificates should be above the certificate manager control meaning that also builtin certificates should be able to be deleted or at least distrusted or their scope to be modified (limiting them for example to web site authorisation etc.).

link

Comments

1

imho, this doesn't need to come from jolla, an app could be made for this...

AL13N ( 2014-01-18 00:17:22 +0300 )

6

This kind of functionality is a part of core platform security, because every app using SSL/TLS needs to be able to use it. The only way to keep it stable and secure is to develop it with the platform. Outsiders cannot participate, they can only follow and that does not work.

Karri Huhtanen ( 2014-01-18 10:58:28 +0300 )

I'll add one more requirement on top of that of Karri's: API to mange the certificates via EMM/MDM platform. Rationale for this are enterprises running WLAN networks with WPA2 Enterprise authentication. That is, they have corporate root certificate they need to mass-deploy to devices at the minimum. Normally they also need something like SCEP on devices to manage certificates more holistically. Apple iOS 6+ and MS WinPhone 8+ have example implementations. Apple being more clean.

Being able to select EAP-AKA as cipher would also permit operators to do WLAN/WiFi offloading more easily by authenticatin the device onto their wireless networks easily.

trivore ( 2015-06-25 20:01:12 +0300 )

Any news on this? Is there a plan for having this implemented? Where might I find a development plan/site/information where all enhancements and bugsfixes are planed and managed? Thank you. Kind regards,

megalith ( 2016-03-12 18:00:20 +0300 )

In my opinion this should be implemented like in firefox and then for all applications android/SFOS/web. Thx, megalith

megalith ( 2016-03-12 18:01:53 +0300 )

add a comment

6

answered 2013-12-25 20:40:56 +0300

Jukka

6680 ●11 ●17 ●21

http://jukka.pro/

For Exchange email this is coming in the next update.

link

Comments

i saw this in the changelog, can anyone confirm that it works for exchange mail?

AL13N ( 2013-12-28 17:01:50 +0300 )

Yes, it works with my company's server that has a self-signed SSL certificate.

Jukka ( 2013-12-29 18:42:04 +0300 )

Did it ask if the user wanted to accept the self-signed certificate or did it just accept it?

Karri Huhtanen ( 2014-01-09 11:08:14 +0300 )

There is a checkbox in manual settings screen to allow all certificates.

Jukka ( 2014-01-09 11:11:03 +0300 )

Uh, that's bad because it allows man-in-the-middle attacks. The proper way to do this is to add certificate management UI and/or ways for certificate pinning to Jolla.

Karri Huhtanen ( 2014-01-09 11:29:48 +0300 )

add a comment

3

answered 2014-01-20 22:52:30 +0300