search

orgzly / orgzly-android

Outliner for taking notes and managing to-do lists
https://www.orgzly.com
GNU General Public License v3.0
2.7k stars 306 forks source link

No option to accept self signed certificate #672

Open ramos opened 4 years ago

ramos commented 4 years ago

The option "Add trusted certificate" of webdav repository does not allow to use a self signed certificate unless the CN field matches the FQDN. This is inconvenient for dynamic IP servers. Is there any workaround?

nevenz commented 4 years ago

I'm not finding a way to remove just that check. Perhaps someone else knows if it's possible, without adding an option to allow any certificate (which probably shouldn't be done).

ramos commented 4 years ago

Well, in this case I would really add the option to allow any certificate. Webdav is specially useful with self-hosted solutions (i.e. nextcloud/owncloud), and in many circumstances this involves a self signed cetificate that works with a dynamic IP. Not many choices here...

Could this option be added after advising that this is a risk?

somini commented 4 years ago

If you have a self-hosted instance, get a certificate using Let's Encrypt. If you manage your server yourself, use the certbot daemon to keep it fresh.

If you really want to add a self-signed certificate (and you shouldn't), why not add it directly to Android's cert store? That way it works on all applications.

https://support.google.com/pixelphone/answer/2844832?hl=en-GB

ramos commented 4 years ago

Thanks for the points. Unfortunately I do not own a domain. I do not have a fixed IP. Getting a certificate seems impossible under this situation.

I have the self signed certificate installed. Still it does not work.

Finally, although I perfectly understand the generic statement "you should not use self signed certificates", I am starting to be tired of this mantra. This is my home server that I would like to use when I am on the move (ssh, backups, etc...). Nobody else uses this machine. I install my self signed certificate when on my local network, and I am done forever. Works like charm in many applications: ssh, web, etc... Honestly, I find it difficult to understand why such an easy thing is not allowed after warning the user to be careful with what they are doing...

somini commented 4 years ago

Without a domain this is indeed impossible. No fixed IP is not a problem, that's my setup too. You just setup a script to run every 5min that changes the IP on DNS, if needed. This is called DDNS, I use Hurricane Electric for this.

The script is just curl -4s "https://dyn.dns.he.net/nic/update" -d "hostname=$HOSTNAME" -d "password=$PASSWORD", running on the RPi under my TV.

Domains are cheap, if you steer clear of memorable names and regular TLD.

Having a domain also let's you share stuff with other people, and they don't have to install the self-signed certificate.

Honestly, I find it difficult to understand why such an easy thing is not allowed after warning the user to be careful with what they are doing...

Because if you lose control of that private key, you can create a certificate for "github.com" that your devices accept. If you can't assure that https://github.com connects to a Microsoft-owned machine, nothing is true and everything is permitted. It's not that you lose confidentiality for your domain, you lose it for every domain.

While the private keys for CA that browsers include by default have the keys under literal lock-and-key, 24h surveillance and the whole shebang.

We are veering away from the purpose of this issue, so if @nevenz wants me to shut up please say so. :grinning:

nevenz commented 4 years ago

I'm not finding a way to remove just that check.

Scratch that, it's possible by overriding HostnameVerifier when creating OkHttpClient in WebdavRepo. A check against user-defined patterns could be added.

I don't know if it's a good idea though. But after supporting the addition of trusted certificates, we might as well support this too.

farynaio commented 2 years ago

I'm not finding a way to remove just that check.

Scratch that, it's possible by overriding HostnameVerifier when creating OkHttpClient in WebdavRepo. A check against user-defined patterns could be added.

I don't know if it's a good idea though. But after supporting the addition of trusted certificates, we might as well support this too.

@nevenz Can you create a PR?

ugurbolat commented 1 year ago

would be interested in self-signed certificates as well for WebDAV server in the local network...

CataCluj commented 1 year ago

Syncing with NextCloud through WebDav and the self-signed certificate is the first thing I tested when I installed Orgzly. Without it it's no use to me. Joplin has a checkbox; let me know when you do that too; I might try it again if I don't move to something else by then.