Hello, On Mon, 14 Oct 2013 15:26:42 +0200 Paul Kocialkowski <pa...@paulk.fr> wrote:
> A new app was added to F-Droid recently and apparently makes it > possible to have cardDAV sync. I did try it with Owncloud but it > failed because it doesn't accept self-signed SSL certificates :( > > Apparently the author thinks it's bad to accept self-signed > certificates or to even ask the user about what to do (which most > apps do). I'm not sure which "most apps" you mean. Netscape Navigator in old good times offered such behavior. Now most apps just fail, though *few* allow to re-run with certificate check disable (try wget) or go thru extra hops (scary screens) to add certificate (current Firefox/Chromium behavior is like the latter). Simply written Java app would just fail, period. To make it not fail one should think about such possibility and then go thru multiple hops to make it not fail: http://stackoverflow.com/questions/2893819/telling-java-to-accept-self-signed-ssl-certificate So, it's likely not that "author thinks it's bad", but he probably doesn't know about the issue at all. > When I'm configuring the device through my own private > network (server and client on the same LAN), I see very few odds of > having MITM. > > Also since my certificate doesn't have any authority certificate, I > cannot import it to my device it seems. Or maybe someone known better > and it turns out I can? Anyway, I'll probably ask the author to > reconsider his position. Shouldn't *Replicant* allow to import *any* certificate regardless if some vendor Android or AOSP put additional restrictions on certificate? -- Best regards, Paul mailto:pmis...@gmail.com _______________________________________________ Replicant mailing list Replicant@lists.osuosl.org http://lists.osuosl.org/mailman/listinfo/replicant
