Ask / Submit
106

GUI to add/trust SSL root certs/self signed certs

asked 2013-12-25 20:13:15 +0200

slaveriq gravatar image

updated 2014-12-10 14:43:57 +0200

rainisto gravatar image

Would be nice to be able to add the Ca root certs or trust a selfsigned cert. This should be a global trust for eg wifi/browser/email client and so on.

edit retag flag offensive close delete

Comments

5

Update for email app is needed too: at the moment all certs are silently accepted. It means, that SSL security is nonexistent.

ortylp ( 2013-12-25 22:02:02 +0200 )edit
9

Also a user should be able to disable any of the pre-installed CAs on the system.

Ilari Stenroth ( 2013-12-26 01:26:42 +0200 )edit
1

This is a must, but for usability there must be a way to discover (using the browser?) which certs you actually need, and optionally reenable the CA or the single cert for the website/service you use.

ortylp ( 2013-12-26 13:48:46 +0200 )edit

what exactly is the physical location of the CA certs?

AL13N ( 2013-12-26 21:53:36 +0200 )edit

/etc/pki/tls/certs

ortylp ( 2013-12-26 23:22:52 +0200 )edit

4 Answers

Sort by » oldest newest most voted
23

answered 2014-01-16 10:44:37 +0200

I think this should be solved by having a proper certificate management in Jolla with UI and all as well as having a ways to securely accept self-signed certificates when they may be needed.

The following is a copy of a question/feature-request I made before, but which was closed as duplicate of this question. Accepting self signed certificates is still open so if you would want to be able to accept/deny certificates in any app (email, XMPP, web browser, etc.) please go and vote for it.

A certificate manager (with UI) to install, modify and delete X.509 certificates on Jolla device is needed.

This certificate manager should be able to handle installing of the both CA and client certificates from files, email attachments, configuration packages or directly from web browser downloads. Mime types could be used for sending certificates always to certificate manager app.

It should also have the capabilities to edit trust settings for all certificates like for example that certain certificates could only verify email servers, web servers, wifi authentication servers or persons and not by default all of them.

Managing certificates should support mass operations so that for example revoking trust from several certificates could be done without having to go through all certificates one-by-one.

No certificates should be above the certificate manager control meaning that also builtin certificates should be able to be deleted or at least distrusted or their scope to be modified (limiting them for example to web site authorisation etc.).

edit flag offensive delete publish link more

Comments

1

imho, this doesn't need to come from jolla, an app could be made for this...

AL13N ( 2014-01-18 00:17:22 +0200 )edit
6

This kind of functionality is a part of core platform security, because every app using SSL/TLS needs to be able to use it. The only way to keep it stable and secure is to develop it with the platform. Outsiders cannot participate, they can only follow and that does not work.

Karri Huhtanen ( 2014-01-18 10:58:28 +0200 )edit

I'll add one more requirement on top of that of Karri's: API to mange the certificates via EMM/MDM platform. Rationale for this are enterprises running WLAN networks with WPA2 Enterprise authentication. That is, they have corporate root certificate they need to mass-deploy to devices at the minimum. Normally they also need something like SCEP on devices to manage certificates more holistically. Apple iOS 6+ and MS WinPhone 8+ have example implementations. Apple being more clean.

Being able to select EAP-AKA as cipher would also permit operators to do WLAN/WiFi offloading more easily by authenticatin the device onto their wireless networks easily.

trivore ( 2015-06-25 20:01:12 +0200 )edit

Any news on this? Is there a plan for having this implemented? Where might I find a development plan/site/information where all enhancements and bugsfixes are planed and managed? Thank you. Kind regards,

megalith ( 2016-03-12 18:00:20 +0200 )edit

In my opinion this should be implemented like in firefox and then for all applications android/SFOS/web. Thx, megalith

megalith ( 2016-03-12 18:01:53 +0200 )edit
6

answered 2013-12-25 20:40:56 +0200

Jukka gravatar image

For Exchange email this is coming in the next update.

edit flag offensive delete publish link more

Comments

i saw this in the changelog, can anyone confirm that it works for exchange mail?

AL13N ( 2013-12-28 17:01:50 +0200 )edit

Yes, it works with my company's server that has a self-signed SSL certificate.

Jukka ( 2013-12-29 18:42:04 +0200 )edit

Did it ask if the user wanted to accept the self-signed certificate or did it just accept it?

Karri Huhtanen ( 2014-01-09 11:08:14 +0200 )edit

There is a checkbox in manual settings screen to allow all certificates.

Jukka ( 2014-01-09 11:11:03 +0200 )edit

Uh, that's bad because it allows man-in-the-middle attacks. The proper way to do this is to add certificate management UI and/or ways for certificate pinning to Jolla.

Karri Huhtanen ( 2014-01-09 11:29:48 +0200 )edit
3

answered 2014-01-20 22:52:30 +0200

Nokius gravatar image

Alexander Couzens

found a soulution for the XMPP cert Problem --> http://lunarius.fe80.eu/blog/jolla-jabber-certificate.html

edit flag offensive delete publish link more
3

answered 2016-10-27 14:43:47 +0200

jovirkku gravatar image

A page for viewing system certificates was added to Settings. Included in update 2.0.4.

edit flag offensive delete publish link more

Comments

1

Yes, that does allow viewing the certs. But this question is about adding

pcfe ( 2018-04-29 12:34:13 +0200 )edit
Login/Signup to Answer

Question tools

Follow
23 followers

Stats

Asked: 2013-12-25 20:13:15 +0200

Seen: 2,322 times

Last updated: Oct 27 '16