Tiny Tiny RSS: Community

Problem with Android-App 1.236 using https with own "Root-CA"



im using tt-rss on debian with the “official” Android-App.

The Apache-Server on debian has a certificate, that is signed by my own CA.
I’ve deployed this “Root-CA” in all my clients (WIndows, Linux, Android) and have used it with th ttrss-app using an https://-URI succesfully for years.

Since the update to version 1.236 of the app a few days ago i get the error:
“java.security.cert.CertPathValidatorException: Trust anchor for certification path not found”

Using an http://-URI still works.
Using SSL with my “Root-CA” still works in Firefox, Chrome, K9-Mail and so on on same Android-Devices (Nexus4-Phone and Nexus7-Tablet (both on actual LineageOS)).
Using Tt-Rss in a browser with SSL on different Computer (with imported “Root-CA”) still works.



From https://developer.android.com/training/articles/security-config.html

By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default.

Wow. What’s the point of user-added certificates if all apps will ignore them by default unless they opt in?

To fix this, I think you need to add a “network security configuration” and include both <certificates src="system"/> and <certificates src="user"/> to it.

Edit: I guess the default makes sense for apps that only connect to developer-provided domains (like Google Maps), but not for apps that connect to user-provided domains (like Chrome or TT-RSS).


well to be fair google has been shitting on custom certificates for years now, remember the mandatory hurr durr traffic monitored notification? no escaping the walled garden is permitted.

digging through this xml crap is no fun though, i would really prefer a pull request for this :frowning: (or at least a working xml example, bleh)


Any reason you’re not just using a LetsEncrypt certificate these days?


Sorry I did not actually test it. I have a Let’s Encrypt certificate on my server and don’t feel like messing with it.


i’ll upload a beta build a bit later, thanks

e: build 471 should be up in a few hours