im using tt-rss on debian with the “official” Android-App.
The Apache-Server on debian has a certificate, that is signed by my own CA.
I’ve deployed this “Root-CA” in all my clients (WIndows, Linux, Android) and have used it with th ttrss-app using an https://-URI succesfully for years.
Since the update to version 1.236 of the app a few days ago i get the error:
“java.security.cert.CertPathValidatorException: Trust anchor for certification path not found”
Using an http://-URI still works.
Using SSL with my “Root-CA” still works in Firefox, Chrome, K9-Mail and so on on same Android-Devices (Nexus4-Phone and Nexus7-Tablet (both on actual LineageOS)).
Using Tt-Rss in a browser with SSL on different Computer (with imported “Root-CA”) still works.
By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default.
Wow. What’s the point of user-added certificates if all apps will ignore them by default unless they opt in?
To fix this, I think you need to add a “network security configuration” and include both <certificates src="system"/> and <certificates src="user"/> to it.
Edit: I guess the default makes sense for apps that only connect to developer-provided domains (like Google Maps), but not for apps that connect to user-provided domains (like Chrome or TT-RSS).
well to be fair google has been shitting on custom certificates for years now, remember the mandatory hurr durr traffic monitored notification? no escaping the walled garden is permitted.
digging through this xml crap is no fun though, i would really prefer a pull request for this (or at least a working xml example, bleh)
(or at least a working xml example, bleh)