Peer Certificate Error

ODK'ers,

I'm running into a minor issue on our ODK deploy in India, where the user
is behind a firewall. I have no issues from my phone at all.

When trying to connect, they (the users) get the error -

form: Form listing failed. Error: javax.net.ssl.
SSLPeerUnverifiedException: No peer certificate while accessing https://
-*.appspot.com/formList.

Since the certificate must be google-based at appspot.com, I shouldn't have
a certificate error. Right? I don't get a certificate issue.

When the user makes a browser connection from the same phone on the same
network, and to the same https://-*.appspot.com instance, they report
seeing the same issue. But, they report being able to "click to accept"
exception.

So, given that they are behind a rather "secure" firewall, and eventually
all the ODK operations we're implementing must go from behind this
firewall, I'm wondering, a) is there anything I can do on our side to
disable SSL; or b) troubleshoot further so I can pinpoint the issue with
their IT network team.

*Provisionally, I'm concluding that I will need them to open up port 443,
or I need to make this a non-secure connection.

Sound about right?
Was this a setting I did while creating the Aggregate instance in the first
place? (i.e. can I undo it somewhere?)

Yes, on their outgoing firewall settings, they need to allow establishing
connections to port 443 on the internet, or, at least, on *.appspot.com.

If they are using a proxy, they need to enable tunneling on the 443
connections (bypassing the proxy), as otherwise the SSL certificate seen by
the phone or browser would be the SSL certificate of the proxy, and that
would cause the errors you're seeing.

The https connection ensures that the submission requests go to the
intended server (other servers can listen but cannot spoof the
communications), and it ensures that all submission data is encrypted while
in transit to the ODK Aggregate server.

Unless they are using encrypted forms, disabling https would not make sense
(given their presumed security concerns).
And if you disable it, you won't have the guarantee that your phone is
communicating with the server you intended.
But, on the other hand, nobody likely cares about interfering with their
data collection process or cares about the data unless the organization has
high-value information.

Anyway, if you want to disable HTTPS, you need to read:
http://code.google.com/p/opendatakit/wiki/AggregateDeploymentConfiguration

and change the:

security.server.channelType=REQUIRES_SECURE_CHANNEL

to

security.server.channelType=REQUIRES_INSECURE_CHANNEL

After doing this, you can re-upload the server to AppEngine, and it will
now use http: for all website access.

Mitch