Android 6.0 ssl issue

[tdecker91]

Android 6.0 does not like the expiration of the cert generated when it is 100 years in the future. I see this was changed from this issue #6 from max time to 100 years.

NOT_AFTER should be configurable to avoid these kinds of issues.

Android 5.1 working

Android 6.0 not working with the same certificate

[ganskef]

Hi Tyson, thank you very much for this hint! I've never seen this problem within Android 6.0.1 or in emulator since I'm using the Certificate Authority in Firefox only. I've never tried it with the system certificates.

[ganskef]

Hmm, it seems to affect the root certificate only. Server (fake, dynamic, mitm) certificates are working in all my environments with no issue. They're using the same max value...

The best way to configure NOT_AFTER is in the Authority class. Two separate values? Alternative we could change the defaults lets say a day for a server certificate and 10 years for a root certificate. What do you think?

[tdecker91]

Hi Frank,

It seems to affect the server certificate here in CertificateHelper.java
private static final Date NOT_AFTER = new Date( System.currentTimeMillis() + 86400000L * 365 * 100);

A coworker of mine experimented with that date and found that if he set the cert to expire after less than two years it worked correctly in our environment. We have changes made that make the certificate more configurable, or load defaults if no configuration is passed in.

We will open a pull request when we are done with the changes and you can merge them in if they are to your liking.

Thanks for the quick response 👍

[ganskef]

Info: I can't reproduce this behavior on Cyanogenmod, Android 6.0.1 MOB30Z, security patch level August 5, 2016. Importing the public key of the CA from xxx.pem into Security > Trusted credentials > USER and WLAN certificates works fine with my cell phone.

My application Mo Cuishle is based on LittleProxy-mitm and every certificate (root and connections) is expiring in hundred years. I know somebody using it with vanilla Google Android on a Nexus device. I'm confused, and would like to understand the issue, will try it on emulator...

[slava-kuksa-op]

I have opened the promised pull-request #24 which brings more configuration options for dynamic certificates.