Jump to content
Enpass Discussion Forum

Enpass 6 Android and self-signed CA

Axxel H

Recommended Posts

I'm trying to connect the Enpass 6 Android beta to a WebDAV server  that has a self-signed certificate issued by a self-signed CA. The CA is installed and trusted in the Android certificate store and works without issue in apps that reference that. This works in Enpass for Mac, but doesn't in Android without enabling "Bypass SSL certificate verification".

The release notes for Enpass 5.5.5 indicate that self-signed certs should work, but it doesn't indicate what the expected behavior is. Is needing to enable cert verification expected on Android? Does Enpass at least remember the prior certificate so that man-in-the-middle attacks are not possible?



Link to comment
Share on other sites

The device is a OnePlus 5 with Oxygen OS 5.1.5 (Android 8.1.0) running Enpass beta (the latest available from the Play Store).

The certificate chain is as follows: webdav server -> intermediate CA -> root CA (self signed). Both the root and intermediate CAs are installed in the Android security storage for credentials. The Webdav server serves the full cert chain (cert and all CAs). Again, this works fine with the Enpass Mac client.

Your response makes me believe this is expected to work, but while you debug can you explain exactly what "Bypass SSL certificate verification" does? There are two interpretations:

- It might mean that no verification is performed on initial connection, but subsequent connections must use the same cert. This is safe enough for my purposes, as it is not subject to man-in-the-middle attacks.

- It might mean that no certificate verification is performed, and that any certificate can be used and changed at any time, which means man-in-the-middle is a potential issue.

Which interpretation does Enpass Android use?


Link to comment
Share on other sites

I've conducted a few more experiments, and the results are disappointing:

- It appears the problem is not with the intermediate CA, using a cert issued by the root CA fails as well.

- It appears the "Bypass SSL certificate verification" option prevents all subsequent SSL verification, offering no man-in-the-middle protection. I was able to introduce a new self-signed cert not issued by any trusted CA and Enpass beta continued to sync with the server without error.

Can you confirm this is either a bug or expected behavior?

Link to comment
Share on other sites

  • 1 month later...

After encountering problems with self-signed certs in a different app, I'm reasonably sure this is the issue:


Related discussion here:


I'd encourage you to consider adding the exceptions to allow self-signed certs, at least as an option. Other apps I use with NextCloud appear to have done this (CardDAV sync, for example). I'd imagine that other folks running private nextcloud/owncloud/etc. will encounter this issue. While there are security tradeoffs mentioned in the documentation, its not clear there's a better solution for WebDAV sync on Android that doesn't have other concerns (certificate costs, Let's Encrypt 90d expiration, etc.).


Link to comment
Share on other sites

  • 3 weeks later...

@Anshu kumar

Using Android version I'm now getting an error when connecting to Nextcloud that explains the certificate is not trusted, so that's an improvement in the error messages.

However, as I indicated the cert is trusted in the user store so I think the problem is the rules around user certificate trust. Again, I'd encourage you to consider allowing self-signed certs with the links I provided above.


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy