Android app can no longer connect to secure server trusted by user-added CA

[noemartinez]

We have a Zulip server set up with a secure SSL certificate, but the certificate is trusted only by an internal Certificate Authority of ours so far, not yet a public CA.

In previous versions of the Android app, I was able to connect to the server over from the Android app as long as my phone was connected to our VPN and I had added our internal CA to my Android device.

This no longer works in the latest versions of the app. Zulip now says "Cannot connect to server".

I'm fairly confident the fix is fairly simple: add a network security configuration file to the app, and set it up to trust user-added CAs for secure connections, but I'm not sure if there's any philosophical objections to re-enabling that. Hopefully not! It has been a handy workflow while we're internally testing Zulip before we are able to expose our server publicly.

Thanks!

[gnprice]

A later request for this appears at #3425.

The reason this changed in a new version of the Zulip app was that the default had changed in Android. This was one of those changes which Android gives apps some choice in the timing of, through the targetSdkVersion mechanism for saying what Android version's defaults to use.

There was a PR at #3314, now stale. That version allowed user-added CAs globally. My feedback there was:

Hmm. I don't love this solution of reverting to the old defaults. The problem of securing TLS and the CA system is complex and has a number of smart people working on it, and in general I'd much rather take the solutions shipped by major browsers and other expert security teams like those at Google, rather than second-guess them.

For the request in #3312 [that's this issue!], I think my ideal solution would be to make it a user opt-in: a switch in settings somewhere. Unfortunately there doesn't seem to be a good way to control this from code -- if you need to control it from code, it looks like you're stuck with the notorious TrustManager API, and I don't even see how to express in that API the equivalent of this configuration. (Surely it's there somehow? But it's going to be complicated to pin down.)

A solution that I think I'd be OK with would be to set this configuration except for domains that we know should be identified by certs from global trusted CAs. In particular: zulipchat.com and its subdomains, and chat.zulip.org. That should mitigate the risk substantially. In the blog post [linked in the OP of this issue], under "Trusting user-added CAs for all domains except some" there's an example of how to do this.

I'd be happy to take a PR for the solution described in that last paragraph.