Project

General

Profile

Issue #1435

Public Key Authentication with own CA causes "Network may be monitored" warning on Android 4.4/5/6 with strongSwan app

Added by Carl-Daniel Hailfinger almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.3.2
Resolution:
No change required

Description

Creating my own CA, cert and key according to https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA and then importing the generated PKCS#12 file into android causes a permanent (i.e. can not be dismissed) warning in android 6.0: "Network may be monitored".
The only way to remove the warning is to remove my own CA from the Android CA storage. Funnily enough, starting and stopping the VPN connection still works even after the CA has been removed from Android. However, after a reboot the missing CA causes failure on connection establishment.

Google has claimed in https://code.google.com/p/android/issues/detail?id=62076#c8 that the warnings are working as intended.

Since it seems some caching is going on (otherwise establishing connections after removing the CA should be impossible), can the strongSwan app store the CA somewhere internally where Android won't complain?

History

#1 Updated by Noel Kuntze almost 4 years ago

Hello,

The CA certificate (or server certificate) can also be imported directly into the app.
The PKCS#12 file would then only contain the user certificate and the corresponding key.
After deleting the old imported files and importing the new PKCS#12 file and the CA certificate seperately (the first one into the Android trust store, the second one into the app), the warning should disappear.

#2 Updated by Tobias Brunner almost 4 years ago

  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

can the strongSwan app store the CA somewhere internally where Android won't complain?

Yes, as Noel mentioned CA and server certificates may be imported into the app since 1.4.0.

#3 Updated by Carl-Daniel Hailfinger almost 4 years ago

Thank you very much, that did the trick. I added this info to the SimpleCA wiki page.

Just in case someone hits this issue in a German localized Android, the warning message was "Das Netzwerk wird m√∂glicherweise von einem unbekannten Dritten √ľberwacht".

Also available in: Atom PDF