+1

Please fix.

Original reporter appears to know of some mechanism to add certs to the trusted store
(although he's not able to do so on Windows).  Can someone explain if it's
theoretically possible to do from other OS's?  Is this something that must be done
while in USB mode?

Also, note:
http://forums.t-mobile.com/tmbl/board/message?board.id=87&message.id=6016

"1) The IMAP client refuses to connect to a server with a self-signed certificate.  I
run my own IMAP server on my home computer, and do not want to pay for a commercial
certificate.   This is likely a deal-breaker for me.  If I cannot resolve this issue,
the G1 will be returned."

With the new windows drivers I tried to add the cert to the keystore. But it is read 
only because I dont have root access. So now what?

how do I add my server's cert to the keystore?  Is there documentation on this?

These are the directions for the emulator (does not work on the actual device):
Download the Harmony JDK so you can edit bks keystores: http://harmony.apache.org/
Open up adb and start server.
Remount system partition rewrite.
Pull /system/etc/security/cacerts.bks 
use the keytool to add your root cert to the keystore. 
http://code.google.com/android/reference/org/apache/http/conn/ssl/SSLSocketFactory.ht
ml
password to keystore is default: changeit
Push keystore back to emulator
remount read only.

And you should be good. I can't test right now, so I am not 100% on those directions.
Again this does not work on the device because you do not have root access.

I do not quite know enough about writing applications for android to write one that 
will add a cert. I am planning but my hangup right now is how do I get enough 
permissions to remount the system partition. Any one have some info? There is a 
testing permission that sounds like it grants root. But I haven't tested or tried it 
yet.

The workaround is "ssl if available" (or "tls if available") - it won't ever check
the cert (so MITM is simple.. sigh) but it will use untrusted certs.

Don't worry tho, you aren't missing much. (The email app doesn't post changes to the
server..)

Ha, you're right.  Switching it to "ssl if available" makes it use untrusted.

Is there a workaround for certificates when trying to connect to wifi? My work wifi
comes up with untrusted certificate(Cisco)and would normally prompt me for a connect
and password. I never get to that point on my G1. It will never let me enter the info
and gives me web page not available.

when i try ssl if available, it won't take my password. it just says "Username or
Password incorrect ()" I can connect with pop3, no ssl, after about three attempts,
the first and second attempts returning "no valid authentication method available".
The third attempt works and downloads mail. I'd rather have IMAP access though. There
should be an option to accept self-signed certs permanently.

SSL if avaliable does work, but what use is imap if it doesnt update the server?

At least I can view now.

Is it not updating the server a mail app thing or because of the certificates?

Thanks for the work around.

i might also add that if you have special characters in your password you will get
the message "Username or password incorrect. ()" as well. the mail app apparently
does not process special characters correctly.

The "if availble" option works for IMAP, if you're okay with the main-in-the-middle
attack issue.  I control the server, so I'd know in either case, I'm not too
concerned here.

"SSL/TLS if available" does NOT work for SMTP if your server *requires* TLS/SSL to
send mail.  Mine does.  Without using TLS/SSL, it thinks I'm trying to illegally
relay through the SMTP server, and rejects me.

I really need this fixed....

@michael573114 
just fyi, "I control the server" doesn't protect you against MITM.  If I sit at a
gateway (say, your local starbucks) I can hand you any cert I want. The g1 will
happily (and silently) accept it, and provide me with your login credentials. If I'm
really sneaky, I'll proxy a connection back to the mailserver and provide you with
your mail and you won't even know it happened..

Thats the big problem with it not verifying untrusted certs - it will accept any
cert, not just the one you explicitly trusted.

It needs to behave more like ssh ("I have a cert, it is Foo, do you trust it
forever?" .. "Hey, this cert is no longer Foo! Bad Bad!")..

Oh right, I didn't really mean it that way, I was thinking of when the server was
compromised more than MitM attacks, but now that I read what I said, I realize that
wasn't really clear at all :)  Both the server being compromised and a proxy along
the way are certainly quite possible without proper certificate checking.

I got poking around in the source for the mail client (actually K9, but whatever,
same thing), and it looks to me like this is best fixed by having some sort of
facility to install certificates into the system keyring (or whatever it uses). 
Doing it in the mail client alone means that the mail client needs to have some kind
of key store itself, and the libraries used for doing SSL stuff don't look like they
support anything like that.

Good news, now that we have root access you can edit the file in my previous
directions :).......search the internet for g1 root access.

+1

Sucks to have the hack the phone the first day I have it. :-)

I've configured my mail server to only accept SSL connections so "TLS if available"
will not work for me.

Yes, the keystore password for cacerts.bks is "changeit". The harmony JDK's keytool
didn't work for me. I had to use the Sun JDK1.6 keytool, and I had to install the
BouncyCastle jar file from here
http://bouncycastle.org/latest_releases.html

http://bouncycastle.org/download/bcprov-jdk16-141.jar

into my JRE. Then I ran this command to add a CAcert to cacerts.bks:
  keytool -keystore cacerts.bks -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -import -v
-trustcacerts -alias Symas -file Symas.pem

and answered "yes" to the prompt.

Now my pop3 account works.

Btw, update RC30 removes the root, so do this before you upgrade.

The suggested fix above, to set "TLS if available", is ambiguous.

It does not state whether the "if available" setting will use TLS with an untrusted
cert, or whether it simply skips using TLS altogether (and thus transmits my email
password in plaintext across the Internet).

TLS needs to be fixed to allow private certs.  This is a critical issue, from where
I'm standing.

I've tested it - this setting means that it will prefer plaintext if TLS is not
available - definitely not desirable.

Note that a fix for this (and many other things) was implemented in k9mail:
http://code.google.com/p/k9mail

This really should be a default configuration option, the firmware needs to support 
adding certificates into the store without needing to "root" your phone.  I'm 
confirming that this is a bug and I would love to see it fixed in a future OTA 
release since the previous OTA update killed my ability to add certificates to my 
phone.

(No comment was entered for this change.)

Any update to this?  Work uses Direct Push w/ Self Signed Cert, and I could use this
to get an alternative client working.

I'm tired of waiting for a fix. The original report (by Xomenn) was posted more than
7 months ago. Why is this problem being ignored? I'm now considering buying a
certificate (as opposed to using a self-signed one). But then, where do I find a list
of authorities that android recognizes?

Just do like I did -- give up and switch to K9 instead.

It is open source and was derived from the IMAP client included in Android, so you
would think it would be easy enough to backport support from it.

yousef.alhashemi are you using a root version of the OS? or willing to, if so I can
help with adding your self signed cert to the system repository.  Otherwise I would
recommend using K9. Google will fix this when they feel like it and there has only
been 28 comments in 7 months so I doubt it will make much of a priority.

They have not even marked it as reviewed.

The Android phone has arrived in Canada, and I just got back from going to buy one.
My first question: "CAN I IMPORT MY COMPANY'S ROOT CA CERTIFICATE?"

On testing, it turns out the answer is "NO". As this means I cannot check my email
with it, I left without a new phone.

This needs to get fixed. I can understand why importing random root CA certificates
off the web is a bad idea (phishing), but some way of deliberately importing one is
required. This is accepted practice for corporate desktop roll-outs; mobile devices
are the next wave.

I went with the Touchdown client from the Marketplace to get around this problem, and
have been really happy with the results.

*bump*  I too self-sign my mail server and it would be nice not to use the "ssl if
available" workaround.  I'd rather force SSL and have it fail rather than attempting
to send my password over the standard channel.

*bump*

Really want to see this fixed - I want to import self signed certs so I can test my
applications. Why is this such an issue? We have a keystore, why can't we have access
to it?

If you have root access, you can do something like this:

# get the cacert root certificate
wget -N http://www.cacert.org/certs/root.crt

# get the BouncyCastle support jar
wget -N http://bouncycastle.org/download/bcprov-jdk16-141.jar

# install the jar, on my debian box that's this:
sudo mv bcprov-jdk16-141.jar /usr/lib/jvm/java-6-sun-1.6.0.14/jre/lib/ext/

# read the existing cacerts.bks off your phone
adb pull /system/etc/security/cacerts.bks cacerts.bks

# add the cacert as a trusted ca
keytool -keystore cacerts.bks -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -trustcacerts
-alias CACERT -file root.crt

# test that it worked. :)
keytool -keystore cacerts.bks -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list| grep
-i cacert

# remount /system read-write
adp shell mount -o remount,rw /system

# upload the new certs file
adb push cacerts.bks /system/etc/security/

# remount /system read-only
adp shell mount -o remount,ro /system


I'll attach a modified cacerts.bks here in case you want to just upload mine with the
last 3 steps. I recommend you repeat the steps instead of trusting mine. :) Never the
less, I'll attach it. md5sum info:

7ab03d8cc400d1db01b0b0b22b539073  cacerts.bks

Note: placing this file in your build tree should include it in your built images.
I've not tried this yet, but it would go here:

dalvik/libcore/security/src/main/files/cacerts.bks

cacerts.bks 52.5 KB   Download

But getting root access on a Magic isn't an option, without the dev phone it's
irreversible and quite likely to break.

Is there some way to work around this and modify the keystore on a non-rooted magic
(or G1) ?

Nope, each application can have there own keystore that can be customized but 
without root or OS support for changes there is no way to manage the certificates.

Everyone agree?

Sure you can root a HTC Magic:  http://android-dls.com/wiki/index.php?title=Magic_Rooting

Even sony ericsson phones support import of a CA certificate. So do Symbian S60 and
Windows Mobile. They do so because this is a feature _people_ _need_. Many business
mail systems have self-signed or private CA-derived certificates not only for mail
but also often for private intranets.

In addition to lacking support for importing CA certs, Android appears to lack any
facility for importing a PKCS#12 client certificate or specifying a .p12 file when
performing SSL/TLS negotiation against a server.

http://code.google.com/p/android/issues/detail?id=3620

Hi,

I need to create a keystore into the android phone with server certificate and 
user's private key. Any idea? Also I need PKCS#11 but I don't know how do it.

Thanks

(No comment was entered for this change.)

The last post couple posts were application related, but the issue is not. We need OS 
Support for third party certificates.

(No comment was entered for this change.)

 Issue 1077  has been merged into this issue.

 Issue 3237  has been merged into this issue.

Issue 3620 has been merged into this issue.

Issue 3620 was incorrectly merged into issue 1016.

3620 is about X.509 *CLIENT* certificates, which contain *PRIVATE* keys that are used
by the client to authenticate its self to the server for bi-directional SSL
authentication. They are not the same thing as the CA certificates (which contain
public keys) referred to by 1016, Client certificate support is not the same as
support for adding CA certificates.

Both do require a user-updatable certificate store to be effective, but use of client
certificates also requires support in the SSL/TLS libraries to notice a client cert
request from the server during negotiation and look up the appropriate certificate,
possibly prompting the user for the cert's passphrase if it's stored encrypted in the
phone keystore.

I am not sure if this related, but sources indicate that it is. This T-Mobile Forums 
thread shows what happens when I try to send email from my MyTouch 3G with either 
k9mail or the default email application. I have tried the "SSL/TLS if Available" to 
no avail. It also appears that the mail applications are not using AUTH PLAIN too.

http://forums.t-mobile.com/tmbl/board/message?
board.id=AndroidAppHelp&message.id=5507#M5507

(While the logs show an invalid password, the password is *NOT* incorrect, and that 
has been verified countless times. I can use the exact same credentials to 
authenticate SMTP from any other MUA.)

A kind of same problem on webpage...

When i try to access in the intranet of my company. On a computer, the page ask me to
accept the certificate, when is done i sould enter my username and password.
On the web browser of android, i have a message about the certificate: view,
continue, leave. I select continue and i have a error 401.

Thanks

We NEED Support for third party CA certificates!!!

Agreed.  On the Droid it allows me to import a certificate, but then asks for a
password.  There IS no password.  I really don't want to have to go back to the
iPhone at this point.

Try 'changeme' as Keystore password

Thanks eimann, tried that but no good.  

Where did you go on the Droid to import the cert?  I put it on a webserver and pulled
it up that way.  Seemed to import it, but the mail client obviously wasn't using it.

Settings->location and security->Install from SD card

By the way, guys.  This isn't really an enhancement since neither "SSL accept all
certificates" nor importing a certificate work as they should.

Using Motorola Droid from Verizon and Ive run into all the problems I've seen others 
reporting - just when you think it's going to work by importing a properly 
exported .p12 certificate from SD, it goes into the password not correct nonsense, 
which of course makes it impossible to import the cert.  

Everything about my sync with Exchange (2007) works except the ability to get 
attachments.  SSL is required, so there is no "turn it off to get attachments" 
choice for me.

I recall having an issue with a client a while back where they had gotten Blackjack 
Windows mobile devices.  With previous windows mobile devices, you could import a 
cert, but not with those - the client HAD to get a Thawte (or similar) certificate 
or they were just out of luck.

Please fix this, Google.  You've got SO many cool things going for your stuff and 
little misses like this keep some filks from taking the device seriously.  I know 
that there is an interest in Google promoting their own mail solutions, even to 
corporate, but not fixing what seems like such a simple thing doesn't seem a good 
way to try to attract that audience.

I am using the European version of Droid "Milestone". I have the same problem.
I downloaded the .p12 certificate in Sd card but it requires a password, which i dont
have any clue about it.

The "bouncycastle" method worked for me for https, but when it comes to SMTP (either
SSL or TLS) with K-9 it didn't.
I think it's because my hosting server shares certificate with others and uses a
wildcard in name, like "*.serversite.com". Could it be because of that?

I am uploading certificates in
/root/myandroid/dalvik/libcore/security/src/main/files/cacerts directory. Please find
the listing 
:~/myandroid/dalvik/libcore/security/src/main/files/cacerts# ls
class3.crt  root.crt

After building filesystem, when i am running it, I am getting following errors
E/keystore( 2328): Can not initialize the keystore, the directory exist?
E/        ( 2329): Can not open/create the keystore directory /data/misc/keystore/
E/keystore( 2329): Can not initialize the keystore, the directory exist?

I think certimport.sh script is not working properly, and is not creating cacerts.bks 
~/myandroid/dalvik/libcore/security/src/main/files# ls
cacerts  cacerts.bks  certimport.sh

certimport.sh 637 bytes   Download

I don't understand that script, it seems to delete the certificate store at first!
Are you sure you can trust that script?

This is the correct script but my keytool is not supporting -providerpath option. I
am getting error
Illegal option:  -providerpath
keytool usage:

certimportJ 1.3 KB   Download

Can you help me how to install correct keytool, that supports all the option required
to create .bks store.?

# keytool -keystore cacerts.bks -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -import
-trustcacerts -alias CACERT -file root.crt
keytool error: java.lang.ClassNotFoundException:
org.bouncycastle.jce.provider.BouncyCastleProvider

My hTc Magic seems to have been silently updated on January 15, and I can no longer
send or receive mail through my SSL-required mail server. Without mail, my phone may
as well be a brick. An $85/month brick.

I tried to import the company root CA certificate that signed the mail server
certificate by downloading it in the Android browser. This resulted in the following
message:

----------------
<Unknown>
www.site.tld
Cannot download. The content is not supported on the phone.
----------------

As has been pointed out more than once earlier in this thread, not supporting SSL
mailserver access makes Android pretty well useless in corporate environments.

Can we please get a higher priority for this issue? Thanks.