Doesn't check certificate expiry correctly

nextcloud / android

📱 Nextcloud Android app

https://play.google.com/store/apps/details?id=com.nextcloud.client

GNU General Public License v2.0

4.26k stars 1.77k forks source link

Doesn't check certificate expiry correctly #5057

Open AdamantUnstable opened 4 years ago

AdamantUnstable commented 4 years ago

Steps to reproduce

Create NextCloud server
Setup LetsEncrypt
Allow certificate to expire

Expected behaviour

Connection failure due to expired HTTPS certificate

Actual behaviour

App successfully connects and transfers data over potentially insecure connection (hopefully this only applies to previously valid but now expired certificates and forged certs don't also work)

Environment data

Android version: 9

Device model: Samsung Note 9

Stock or customized system: Stock

Nextcloud app version: 3.9.2

Nextcloud server version: 16 (latest stable Snap release)

AndyScherzinger commented 4 years ago

cc @tobiasKaminsky

stale[bot] commented 4 years ago

This request did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!

AndyScherzinger commented 4 years ago

Cc @tobiasKaminsky

AndyScherzinger commented 3 years ago

pinging @tobiasKaminsky and also @LukasReschke also refering to #3305 in general and https://github.com/nextcloud/android/issues/3305#issuecomment-846601176 specifically

tobiasKaminsky commented 3 years ago

We will take care of it, ref: https://github.com/nextcloud-gmbh/security/issues/30

Torqu3Wr3nch commented 1 year ago

Was this ever resolved? I notice the issue is still marked as open. This is an extremely serious flaw.