SSLPeerUnverifiedException

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com(admin/temptemp), I get a
SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on their
device, that would be a big help.

··· -- Tom Smyth Worker-Owner, Sassafras Tech Collective Specializing in innovative, usable tech for social change sassafrastech.com

I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.

Tumaini

··· On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth wrote:

Greetings.

In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on their
device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

I am also getting a similar error (SSL Peer Unverified Exception) when
connecting ODK Collect version 1.4.5 to Aggregate. I have installed a
certificate a .pk7 certificate (that bundled GoDaddy's intermediate and our
domain certificates) to the server but on testing using Networking4All and
SSLShopper I get the errors as shown on the attached images. I have tried
installing intediate certificates from GoDaddy available at
https://certs.godaddy.com/repository as detailed
http://technet.microsoft.com/en-us/library/cc754841.aspx. I believe I am a
missining a very tiny configuration or step to get this working and go and
celebrate. Can anybody please suggest a pathway/solution.

Regards,
Caesar

Tumaini, thanks for chiming in here. Could you name the server hostname and
the certificate issuer (e.g. Geotrust) in case the ODK folks need that info?

··· On 11 September 2013 02:24, Tumaini Kilimba wrote:

I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

··· On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth wrote:

Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Apologies, please find below the SSL test URLs that gave the issues
explained above.

https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.org

regards,

caesar

Tom,

I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...

Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).

Failure

http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban

Success

http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com

The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.

You can test this out by writing an app that uses different levels of
hostname verification. See


for an example.

Yaw

··· -- Need ODK services? http://nafundi.com provides form design, professional support, custom reporting, and software development for ODK.

On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.

However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:

Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues go
away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it was
a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For us,
that wasn't an option because we're using a wildcard certificate, but for
one-off domains it's not worth the hassle to get a lower-priced certificate
to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:

Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it
was a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.

Best,

Chris

··· On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:

Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the
page loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

··· On 11 September 2013 09:10, Christopher Robert wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it
was a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:

Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

Hi Thomas,

It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.

However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:

It could be a server configuration issue of some sort.

Best,

Chris

··· On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth wrote:

Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert crobert@surveycto.comwrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate chain we use. It was a huge pain to construct to begin with,
and then it was a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:

Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Hmm, that answer resulted in this: "After piles of digging and
experimentation, I finally realized that the url I was using had hard coded
port 80 instead of defaulting to 443. Dumb dumb dumb."

This is certainly not the case here.

Would love to hear the ODK core folks chime in on this one...

··· On 11 September 2013 09:55, Christopher Robert wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.

However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.comwrote:

Christopher, thanks for your input. So far nobody has been able to
explain why the StartSSL and Geotrust certs are trusted by the Android
browser and pretty much everything else, but not by ODK. Does the ssl
library consult a different list of trusted authorities? Wouldn't that be
odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert crobert@surveycto.comwrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate chain we use. It was a huge pain to construct to begin with,
and then it was a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:

Tumaini, thanks for chiming in here. Could you name the server
hostname and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tzwrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.

Is there any reason ODK's security level is so high? Higher than the
Android browser that is probably handling credit card information, etc.,
out the wazoo?

Or if there are some folks that need super high security, couldn't there be
a prefs setting? It could even default to super-high for all I care. Just
as long as there was some way to tone it down a bit.

I might could supply this patch if there was agreement...

··· On 11 September 2013 10:31, Yaw Anokwa wrote:

Tom,

I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...

Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).

Failure

http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban

Success

http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com

The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.

You can test this out by writing an app that uses different levels of
hostname verification. See

http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.

However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:

Christopher, thanks for your input. So far nobody has been able to
explain

why the StartSSL and Geotrust certs are trusted by the Android browser
and

pretty much everything else, but not by ODK. Does the ssl library
consult a

different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had
trust

issues in the past -- never with Briefcase, but definitely with some
older

Android devices. We spent enormous amounts of energy to make those
issues go

away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted

Equifax root authority. The latter solution seemed to be the key for
more

ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate

chain we use. It was a huge pain to construct to begin with, and then
it was

a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box.
For us,

that wasn't an option because we're using a wildcard certificate, but
for

one-off domains it's not worth the hassle to get a lower-priced
certificate

to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:

Tumaini, thanks for chiming in here. Could you name the server
hostname

and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that

info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth < tom@sassafrastech.com> wrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine
in tools

like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page

loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it
on

their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

Tom,

I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.

No settings. I prefer opinionated software.

Yaw

··· -- Need ODK services? http://nafundi.com provides form design, professional support, custom reporting, and software development for ODK.

On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:

Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.

Is there any reason ODK's security level is so high? Higher than the Android
browser that is probably handling credit card information, etc., out the
wazoo?

Or if there are some folks that need super high security, couldn't there be
a prefs setting? It could even default to super-high for all I care. Just as
long as there was some way to tone it down a bit.

I might could supply this patch if there was agreement...

On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:

Tom,

I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...

Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).

Failure

http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban

Success

http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com

The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.

You can test this out by writing an app that uses different levels of
hostname verification. See

http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.

However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:

Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android browser
and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key for
more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and then
it was
a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box.
For us,
that wasn't an option because we're using a wildcard certificate, but
for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:

Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine
in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try it
on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

So much the easier!

··· On 11 September 2013 14:49, Yaw Anokwa wrote:

Tom,

I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.

No settings. I prefer opinionated software.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:

Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.

Is there any reason ODK's security level is so high? Higher than the
Android
browser that is probably handling credit card information, etc., out the
wazoo?

Or if there are some folks that need super high security, couldn't there
be
a prefs setting? It could even default to super-high for all I care.
Just as
long as there was some way to tone it down a bit.

I might could supply this patch if there was agreement...

On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:

Tom,

I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...

Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).

Failure

http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban

Success

http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com

The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.

You can test this out by writing an app that uses different levels of
hostname verification. See

http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android

for an example.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including
the

built-in browser) would fail to trust our certificate... so you're
right

that your case seems different.

However, we haven't seen any indication of a problem in Collect's
code.

Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:

Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android
browser

and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in
ODK.

Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert < crobert@surveycto.com> wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect
and

re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key for
more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and
then

it was
a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a
Verisign

certificate that will likely be trusted by everybody out of the box.
For us,
that wasn't an option because we're using a wildcard certificate,
but

for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba < tkilimba@ihi.or.tz> wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and
the

certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth < tom@sassafrastech.com> wrote:

Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests
fine

in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try
it

on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the
Google

Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,

send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit
https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the
Google

Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out
.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://odk.tph.unibas.ch/ODKAggregateSSL

It is all OK for our server but still SSLPeerUnverifiedException in
Briefcase.

Any update on Briefcase to lower the trust levels or to fix this?

Aurelio

··· Il giorno mercoledì 11 settembre 2013 16:31:53 UTC+2, Yaw Anokwa ha scritto: > > Tom, > > I have spent countless hours fixing this very problem for some of > Nafundi's clients. Here's what I think is happening... > > Check your server certificate chain with SSL Shopper and you'll see > that the URLs that fail aren't chained to an old-school cert issuer > (usually Equifax). > > # Failure > > http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com > > http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban > > # Success > > http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com > http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com > > The reason those failed certificates work in the Android browser is > that browsers have lower levels of verification that match all > subdomains (usually called browser compatible hostname verification) > whereas I think Collect has stricter levels of verification due to the > default hostname verifiers of the HTTPS libraries it uses. > > You can test this out by writing an app that uses different levels of > hostname verification. See > > http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android > for an example. > > Yaw > -- > Need ODK services? http://nafundi.com provides form design, > professional support, custom reporting, and software development for > ODK. > > On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert <chrisl...@gmail.com > wrote: > > Hi Thomas, > > > > It did tend to be the case that everything on the device (including the > > built-in browser) would fail to trust our certificate... so you're right > > that your case seems different. > > > > However, we haven't seen any indication of a problem in Collect's code. > > Rather, if you Google "android SSLPeerUnverifiedException" you'll see > lots > > of other possibilities, including the one discussed here: > > > > > http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet > > > > It could be a server configuration issue of some sort. > > > > Best, > > > > Chris > > > > > > > > On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth <t...@sassafrastech.com > wrote: > >> > >> Christopher, thanks for your input. So far nobody has been able to > explain > >> why the StartSSL and Geotrust certs are trusted by the Android browser > and > >> pretty much everything else, but not by ODK. Does the ssl library > consult a > >> different list of trusted authorities? Wouldn't that be odd? > >> > >> We are using Android v4.x here, so age is not an issue. > >> > >> I suspect there may be something slightly off with the SSL code in ODK. > >> Unless someone else has a clear explanation. > >> > >> > >> On 11 September 2013 09:10, Christopher Robert <cro...@surveycto.com > wrote: > >>> > >>> Thomas, Tumaini, > >>> > >>> We use GeoTrust certificates for *.surveycto.com, and we have had > trust > >>> issues in the past -- never with Briefcase, but definitely with some > older > >>> Android devices. We spent enormous amounts of energy to make those > issues go > >>> away, including bundling our certificate with our build of Collect and > >>> re-working the GeoTrust certificate chain to link back to a > broadly-trusted > >>> Equifax root authority. The latter solution seemed to be the key for > more > >>> ubiquitous trust, and I suspect that we could un-bundle our > certificate > >>> without any trouble. If you go to > >>> https://www.surveycto.com/support/login.html, you can see the > certificate > >>> chain we use. It was a huge pain to construct to begin with, and then > it was > >>> a huge pain to re-construct when we recently renewed. > >>> > >>> Frankly, I would suggest giving up and just paying more for a Verisign > >>> certificate that will likely be trusted by everybody out of the box. > For us, > >>> that wasn't an option because we're using a wildcard certificate, but > for > >>> one-off domains it's not worth the hassle to get a lower-priced > certificate > >>> to be as widely trusted. > >>> > >>> Best, > >>> > >>> Chris > >>> > >>> > >>> > >>> On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba <tkil...@ihi.or.tz > wrote: > >>>> > >>>> Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the > >>>> certificate issuer is Geotrust. > >>>> > >>>> Thanks again, > >>>> Tumaini > >>>> > >>>> > >>>> On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth <t...@sassafrastech.com > wrote: > >>>>> > >>>>> Tumaini, thanks for chiming in here. Could you name the server > hostname > >>>>> and the certificate issuer (e.g. Geotrust) in case the ODK folks > need that > >>>>> info? > >>>>> > >>>>> > >>>>> On 11 September 2013 02:24, Tumaini Kilimba <tkil...@ihi.or.tz > wrote: > >>>>>> > >>>>>> I have exactly the same message when trying to connect via > >>>>>> ODKBriefcase onto an SSL configured server... any help greatly > appreciated. > >>>>>> > >>>>>> Tumaini > >>>>>> > >>>>>> > >>>>>> On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth < t...@sassafrastech.com > wrote: > >>>>>>> > >>>>>>> Greetings. > >>>>>>> > >>>>>>> In ODK Collect, when I try to connect to > >>>>>>> https://elmo.sassafrastech.com (admin/temptemp), I get a > >>>>>>> SSLPeerUnverifiedException, even though the certificate tests fine > in tools > >>>>>>> like http://www.digicert.com/help/?host=elmo.sassafrastech.com, > and the page > >>>>>>> loads fine in the Android browser. > >>>>>>> > >>>>>>> Has anyone encountered anything like this? > >>>>>>> > >>>>>>> It works fine for other servers. > >>>>>>> > >>>>>>> It could perhaps be a caching issue. If someone else could try it > on > >>>>>>> their device, that would be a big help. > >>>>>>> > >>>>>>> -- > >>>>>>> Tom Smyth > >>>>>>> Worker-Owner, Sassafras Tech Collective > >>>>>>> Specializing in innovative, usable tech for social change > >>>>>>> sassafrastech.com > >>>>>>> > >>>>>>> -- > >>>>>>> You received this message because you are subscribed to the Google > >>>>>>> Groups "ODK Developers" group. > >>>>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>>>> send an email to > opendatakit-developers+unsubscribe@googlegroups.com . > >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> You received this message because you are subscribed to the Google > >>>>>> Groups "ODK Developers" group. > >>>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>>> an email to opendatakit-developers+unsubscribe@googlegroups.com > . > >>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Tom Smyth > >>>>> Worker-Owner, Sassafras Tech Collective > >>>>> Specializing in innovative, usable tech for social change > >>>>> sassafrastech.com > >>>>> > >>>>> -- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "ODK Developers" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>> an email to opendatakit-developers+unsubscribe@googlegroups.com > . > >>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>> > >>>> > >>>> -- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "ODK Developers" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>> an email to opendatakit-developers+unsubscribe@googlegroups.com > . > >>>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ODK Developers" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to opendatakit-developers+unsubscribe@googlegroups.com > . > >>> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > >> > >> > >> -- > >> Tom Smyth > >> Worker-Owner, Sassafras Tech Collective > >> Specializing in innovative, usable tech for social change > >> sassafrastech.com > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "ODK Developers" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to opendatakit-developers+unsubscribe@googlegroups.com > . > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "ODK Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to opendatakit-developers+unsubscribe@googlegroups.com > . > > For more options, visit https://groups.google.com/groups/opt_out. >

I'd recommend talking to GoDaddy support about this.

··· On 20 March 2015 at 05:15, Caesar wrote:

Apologies, please find below the SSL test URLs that gave the issues
explained above.

https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.org

regards,

caesar

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

The trust levels are the default setting of the Apache HTTP Client
libraries. Open an issue with your patch and we'll take a look.

··· On Wed, Sep 11, 2013 at 12:18 PM, Thomas Smyth wrote:

So much the easier!

On 11 September 2013 14:49, Yaw Anokwa yanokwa@nafundi.com wrote:

Tom,

I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.

No settings. I prefer opinionated software.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:

Bingo. Beautiful. I suspected something exactly like this. Thank you
Yaw.

Is there any reason ODK's security level is so high? Higher than the
Android
browser that is probably handling credit card information, etc., out the
wazoo?

Or if there are some folks that need super high security, couldn't
there be
a prefs setting? It could even default to super-high for all I care.
Just as
long as there was some way to tone it down a bit.

I might could supply this patch if there was agreement...

On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:

Tom,

I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...

Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).

Failure

http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban

Success

http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com

http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com

The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.

You can test this out by writing an app that uses different levels of
hostname verification. See

http://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android

for an example.

Yaw

Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.

On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:

Hi Thomas,

It did tend to be the case that everything on the device (including
the

built-in browser) would fail to trust our certificate... so you're
right

that your case seems different.

However, we haven't seen any indication of a problem in Collect's
code.

Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:

http://stackoverflow.com/questions/11923380/android-ssl-javax-net-ssl-sslpeerunverifiedexception-no-peer-certificate-yet

It could be a server configuration issue of some sort.

Best,

Chris

On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth <tom@sassafrastech.com wrote:

Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android
browser

and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?

We are using Android v4.x here, so age is not an issue.

I suspect there may be something slightly off with the SSL code in
ODK.

Unless someone else has a clear explanation.

On 11 September 2013 09:10, Christopher Robert < crobert@surveycto.com> wrote:

Thomas, Tumaini,

We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with
some

older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect
and

re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key
for

more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and
then

it was
a huge pain to re-construct when we recently renewed.

Frankly, I would suggest giving up and just paying more for a
Verisign

certificate that will likely be trusted by everybody out of the
box.

For us,
that wasn't an option because we're using a wildcard certificate,
but

for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.

Best,

Chris

On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba < tkilimba@ihi.or.tz> wrote:

Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and
the

certificate issuer is Geotrust.

Thanks again,
Tumaini

On Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth < tom@sassafrastech.com> wrote:

Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?

On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:

I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.

Tumaini

On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:

Greetings.

In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests
fine

in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com
,

and the page
loads fine in the Android browser.

Has anyone encountered anything like this?

It works fine for other servers.

It could perhaps be a caching issue. If someone else could try
it

on
their device, that would be a big help.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the
Google

Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,

send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit
https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the
Google

Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,

send
an email to opendatakit-developers+unsubscribe@googlegroups.com
.

For more options, visit
https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the
Google

Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out
.

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send

an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google
Groups

"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Aurelio,

The easy answer is to use GeoTrust certs or to chain your root cert to
something more widely available. You can also submit a patch.

https://code.google.com/p/opendatakit/issues/detail?id=1061 has the
issue. Star it to get updates. No ETA for a fix.

Yaw

··· -- Need ODK services? http://nafundi.com provides form design, server setup, professional support, and software development for ODK.

Agreed.

Test with another PC/Mac first.

Work with GoDaddy tech support to get to where you can connect to your
server from a wifi hotspot using an un-modified web browser on a client
computer (i.e., without installing or modifying the certificates on the
client computer).

Then Test with the browser on your Android device.

If those both work, then ODK Collect should work.

If you are installing new root certificates on the devices, something is
wrong with the issuer of the SSL certificate.

··· On Fri, Mar 20, 2015 at 5:33 AM, Tom Smyth wrote:

I'd recommend talking to GoDaddy support about this.

On 20 March 2015 at 05:15, Caesar caesar.olima@gmail.com wrote:

Apologies, please find below the SSL test URLs that gave the issues
explained above.

https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.org

regards,

caesar

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Tom Smyth

Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech

Resident, Touchstone Cohousing
touchstonecohousing.org

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Just to chime in here - I've experienced the same issue with Briefcase.
Will star this thread in the hopes that there is a patch issued at some point.

Thanks for all your work on this!