Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com(admin/temptemp), I get a
SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.
Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on their
device, that would be a big help.
I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.
Tumaini
Greetings.
In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on their
device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
I am also getting a similar error (SSL Peer Unverified Exception) when
connecting ODK Collect version 1.4.5 to Aggregate. I have installed a
certificate a .pk7 certificate (that bundled GoDaddy's intermediate and our
domain certificates) to the server but on testing using Networking4All and
SSLShopper I get the errors as shown on the attached images. I have tried
installing intediate certificates from GoDaddy available at
https://certs.godaddy.com/repository as detailed
http://technet.microsoft.com/en-us/library/cc754841.aspx. I believe I am a
missining a very tiny configuration or step to get this working and go and
celebrate. Can anybody please suggest a pathway/solution.
Regards,
Caesar
Tumaini, thanks for chiming in here. Could you name the server hostname and
the certificate issuer (e.g. Geotrust) in case the ODK folks need that info?
I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.
Thanks again,
Tumaini
Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Apologies, please find below the SSL test URLs that gave the issues
explained above.
https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.org
regards,
caesar
Tom,
I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...
Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).
The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.
You can test this out by writing an app that uses different levels of
hostname verification. See
for an example.
Yaw
On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:
Hi Thomas,
It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:
Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues go
away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it was
a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For us,
that wasn't an option because we're using a wildcard certificate, but for
one-off domains it's not worth the hassle to get a lower-priced certificate
to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:
Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it
was a huge pain to re-construct when we recently renewed.
Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.
Best,
Chris
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:
Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to https://elmo.sassafrastech.com(admin/temptemp), I get a SSLPeerUnverifiedException, even though the
certificate tests fine in tools like
http://www.digicert.com/help/?host=elmo.sassafrastech.com, and the
page loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?
We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the certificate
chain we use. It was a huge pain to construct to begin with, and then it
was a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:
Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via ODKBriefcase
onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
Hi Thomas,
It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.
However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:
It could be a server configuration issue of some sort.
Best,
Chris
Christopher, thanks for your input. So far nobody has been able to explain
why the StartSSL and Geotrust certs are trusted by the Android browser and
pretty much everything else, but not by ODK. Does the ssl library consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert crobert@surveycto.comwrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate chain we use. It was a huge pain to construct to begin with,
and then it was a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:
Tumaini, thanks for chiming in here. Could you name the server hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Hmm, that answer resulted in this: "After piles of digging and
experimentation, I finally realized that the url I was using had hard coded
port 80 instead of defaulting to 443. Dumb dumb dumb."
This is certainly not the case here.
Would love to hear the ODK core folks chime in on this one...
Hi Thomas,
It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.comwrote:
Christopher, thanks for your input. So far nobody has been able to
explain why the StartSSL and Geotrust certs are trusted by the Android
browser and pretty much everything else, but not by ODK. Does the ssl
library consult a different list of trusted authorities? Wouldn't that be
odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert crobert@surveycto.comwrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had trust
issues in the past -- never with Briefcase, but definitely with some older
Android devices. We spent enormous amounts of energy to make those issues
go away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a broadly-trusted
Equifax root authority. The latter solution seemed to be the key for more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate chain we use. It was a huge pain to construct to begin with,
and then it was a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box. For
us, that wasn't an option because we're using a wildcard certificate, but
for one-off domains it's not worth the hassle to get a lower-priced
certificate to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tzwrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.comwrote:
Tumaini, thanks for chiming in here. Could you name the server
hostname and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tzwrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.comwrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com, and
the page loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.
Is there any reason ODK's security level is so high? Higher than the
Android browser that is probably handling credit card information, etc.,
out the wazoo?
Or if there are some folks that need super high security, couldn't there be
a prefs setting? It could even default to super-high for all I care. Just
as long as there was some way to tone it down a bit.
I might could supply this patch if there was agreement...
Tom,
I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).Failure
http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban
Success
http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.comThe reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.You can test this out by writing an app that uses different levels of
hostname verification. Seehttp://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:
Hi Thomas,
It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:
Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android browser
and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key for
more
ubiquitous trust, and I suspect that we could un-bundle our certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and then
it was
a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box.
For us,
that wasn't an option because we're using a wildcard certificate, but
for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:
Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth < tom@sassafrastech.com> wrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine
in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it
on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com
Tom,
I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.
No settings. I prefer opinionated software.
Yaw
On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:
Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.
Is there any reason ODK's security level is so high? Higher than the Android
browser that is probably handling credit card information, etc., out the
wazoo?Or if there are some folks that need super high security, couldn't there be
a prefs setting? It could even default to super-high for all I care. Just as
long as there was some way to tone it down a bit.I might could supply this patch if there was agreement...
On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:
Tom,
I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).Failure
http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban
Success
http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.comThe reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.You can test this out by writing an app that uses different levels of
hostname verification. Seehttp://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:
Hi Thomas,
It did tend to be the case that everything on the device (including the
built-in browser) would fail to trust our certificate... so you're right
that your case seems different.However, we haven't seen any indication of a problem in Collect's code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:
Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android browser
and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert crobert@surveycto.com wrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key for
more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and then
it was
a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a Verisign
certificate that will likely be trusted by everybody out of the box.
For us,
that wasn't an option because we're using a wildcard certificate, but
for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth tom@sassafrastech.com wrote:
Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests fine
in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try it
on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
So much the easier!
Tom,
I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.No settings. I prefer opinionated software.
Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:
Bingo. Beautiful. I suspected something exactly like this. Thank you Yaw.
Is there any reason ODK's security level is so high? Higher than the
Android
browser that is probably handling credit card information, etc., out the
wazoo?Or if there are some folks that need super high security, couldn't there
be
a prefs setting? It could even default to super-high for all I care.
Just as
long as there was some way to tone it down a bit.I might could supply this patch if there was agreement...
On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:
Tom,
I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).Failure
http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban
Success
http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com
The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.You can test this out by writing an app that uses different levels of
hostname verification. Seehttp://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.
Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:
Hi Thomas,
It did tend to be the case that everything on the device (including
the
built-in browser) would fail to trust our certificate... so you're
right
that your case seems different.However, we haven't seen any indication of a problem in Collect's
code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth tom@sassafrastech.com wrote:
Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android
browser
and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in
ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert < crobert@surveycto.com> wrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect
and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key for
more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and
then
it was
a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a
Verisign
certificate that will likely be trusted by everybody out of the box.
For us,
that wasn't an option because we're using a wildcard certificate,
but
for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba < tkilimba@ihi.or.tz> wrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and
the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth < tom@sassafrastech.com> wrote:
Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests
fine
in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com,
and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try
it
on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit
https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out
.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com
It is all OK for our server but still SSLPeerUnverifiedException in
Briefcase.
Any update on Briefcase to lower the trust levels or to fix this?
Aurelio
I'd recommend talking to GoDaddy support about this.
Apologies, please find below the SSL test URLs that gave the issues
explained above.
https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.orgregards,
caesar
--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastech
Resident, Touchstone Cohousing
touchstonecohousing.org
The trust levels are the default setting of the Apache HTTP Client
libraries. Open an issue with your patch and we'll take a look.
So much the easier!
On 11 September 2013 14:49, Yaw Anokwa yanokwa@nafundi.com wrote:
Tom,
I can't think of a good reason why it's that strict and I think a
patch to dial it down would be a good idea.No settings. I prefer opinionated software.
Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 7:44 AM, Thomas Smyth tom@sassafrastech.com wrote:
Bingo. Beautiful. I suspected something exactly like this. Thank you
Yaw.Is there any reason ODK's security level is so high? Higher than the
Android
browser that is probably handling credit card information, etc., out the
wazoo?Or if there are some folks that need super high security, couldn't
there be
a prefs setting? It could even default to super-high for all I care.
Just as
long as there was some way to tone it down a bit.I might could supply this patch if there was agreement...
On 11 September 2013 10:31, Yaw Anokwa yanokwa@nafundi.com wrote:
Tom,
I have spent countless hours fixing this very problem for some of
Nafundi's clients. Here's what I think is happening...Check your server certificate chain with SSL Shopper and you'll see
that the URLs that fail aren't chained to an old-school cert issuer
(usually Equifax).Failure
http://www.sslshopper.com/ssl-checker.html#hostname=https://elmo.sassafrastech.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://openhds.ihi.or.tz/ODKAggregateUrban
Success
http://www.sslshopper.com/ssl-checker.html#hostname=https://www.surveycto.com
http://www.sslshopper.com/ssl-checker.html#hostname=https://google.com
The reason those failed certificates work in the Android browser is
that browsers have lower levels of verification that match all
subdomains (usually called browser compatible hostname verification)
whereas I think Collect has stricter levels of verification due to the
default hostname verifiers of the HTTPS libraries it uses.You can test this out by writing an app that uses different levels of
hostname verification. Seehttp://stackoverflow.com/questions/2012497/accepting-a-certificate-for-https-on-android
for an example.
Yaw
Need ODK services? http://nafundi.com provides form design,
professional support, custom reporting, and software development for
ODK.On Wed, Sep 11, 2013 at 6:55 AM, Christopher Robert chrislrobert@gmail.com wrote:
Hi Thomas,
It did tend to be the case that everything on the device (including
the
built-in browser) would fail to trust our certificate... so you're
right
that your case seems different.However, we haven't seen any indication of a problem in Collect's
code.
Rather, if you Google "android SSLPeerUnverifiedException" you'll see
lots
of other possibilities, including the one discussed here:It could be a server configuration issue of some sort.
Best,
Chris
On Wed, Sep 11, 2013 at 9:48 AM, Thomas Smyth <tom@sassafrastech.com wrote:
Christopher, thanks for your input. So far nobody has been able to
explain
why the StartSSL and Geotrust certs are trusted by the Android
browser
and
pretty much everything else, but not by ODK. Does the ssl library
consult a
different list of trusted authorities? Wouldn't that be odd?We are using Android v4.x here, so age is not an issue.
I suspect there may be something slightly off with the SSL code in
ODK.
Unless someone else has a clear explanation.On 11 September 2013 09:10, Christopher Robert < crobert@surveycto.com> wrote:
Thomas, Tumaini,
We use GeoTrust certificates for *.surveycto.com, and we have had
trust
issues in the past -- never with Briefcase, but definitely with
some
older
Android devices. We spent enormous amounts of energy to make those
issues go
away, including bundling our certificate with our build of Collect
and
re-working the GeoTrust certificate chain to link back to a
broadly-trusted
Equifax root authority. The latter solution seemed to be the key
for
more
ubiquitous trust, and I suspect that we could un-bundle our
certificate
without any trouble. If you go to
https://www.surveycto.com/support/login.html, you can see the
certificate
chain we use. It was a huge pain to construct to begin with, and
then
it was
a huge pain to re-construct when we recently renewed.Frankly, I would suggest giving up and just paying more for a
Verisign
certificate that will likely be trusted by everybody out of the
box.
For us,
that wasn't an option because we're using a wildcard certificate,
but
for
one-off domains it's not worth the hassle to get a lower-priced
certificate
to be as widely trusted.Best,
Chris
On Wed, Sep 11, 2013 at 7:53 AM, Tumaini Kilimba < tkilimba@ihi.or.tz> wrote:
Sure, server is https://openhds.ihi.or.tz/ODKAggregateUrban and
the
certificate issuer is Geotrust.Thanks again,
TumainiOn Wed, Sep 11, 2013 at 2:48 PM, Thomas Smyth < tom@sassafrastech.com> wrote:
Tumaini, thanks for chiming in here. Could you name the server
hostname
and the certificate issuer (e.g. Geotrust) in case the ODK folks
need that
info?On 11 September 2013 02:24, Tumaini Kilimba tkilimba@ihi.or.tz wrote:
I have exactly the same message when trying to connect via
ODKBriefcase onto an SSL configured server... any help greatly
appreciated.Tumaini
On Wed, Sep 11, 2013 at 1:20 AM, Thomas Smyth tom@sassafrastech.com wrote:
Greetings.
In ODK Collect, when I try to connect to
https://elmo.sassafrastech.com (admin/temptemp), I get a
SSLPeerUnverifiedException, even though the certificate tests
fine
in tools
like http://www.digicert.com/help/?host=elmo.sassafrastech.com
,
and the page
loads fine in the Android browser.Has anyone encountered anything like this?
It works fine for other servers.
It could perhaps be a caching issue. If someone else could try
it
on
their device, that would be a big help.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,
send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit
https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from
it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com
.
For more options, visit
https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out
.--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.--
Tom Smyth
Worker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafrastech.com--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com
Aurelio,
The easy answer is to use GeoTrust certs or to chain your root cert to
something more widely available. You can also submit a patch.
https://code.google.com/p/opendatakit/issues/detail?id=1061 has the
issue. Star it to get updates. No ETA for a fix.
Yaw
Agreed.
Test with another PC/Mac first.
Work with GoDaddy tech support to get to where you can connect to your
server from a wifi hotspot using an un-modified web browser on a client
computer (i.e., without installing or modifying the certificates on the
client computer).
Then Test with the browser on your Android device.
If those both work, then ODK Collect should work.
If you are installing new root certificates on the devices, something is
wrong with the issuer of the SSL certificate.
I'd recommend talking to GoDaddy support about this.
On 20 March 2015 at 05:15, Caesar caesar.olima@gmail.com wrote:
Apologies, please find below the SSL test URLs that gave the issues
explained above.
https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=odk.kemri-wellcome.org&protocol=https
2.
https://www.sslshopper.com/ssl-checker.html#hostname=odk.kemri-wellcome.orgregards,
caesar
--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
Tom SmythWorker-Owner, Sassafras Tech Collective
Specializing in innovative, usable tech for social change
sassafras.coop · @sassafrastechResident, Touchstone Cohousing
touchstonecohousing.org--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com
Just to chime in here - I've experienced the same issue with Briefcase.
Will star this thread in the hopes that there is a patch issued at some point.
Thanks for all your work on this!
