[Q] Sync issues with mangled SSL certificates on WiFi connection? - Android Q&A, Help & Troubleshooting

So we got a new guest access wifi network at work a few months ago. That's great, because cell signal inside the building is horrible!
Prior to implementing the guest wifi, however, they implemented SSL inspection on the firewall. This broke many things for some of us, particularly firefox would complain about EVERY SSL page:
Technical Details
docs.google.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Click to expand...
Click to collapse
So I fired up the wifi on my phone, hoping to get some use out of that, but the wifi icon would never turn green (indicating google sync, etc.), and I would never get new emails or anything until I switched back to 3g/1x.
My question is, is there anything I can do on my phone to allow this crappy non-secure wifi connection to allow SSL traffic? There's definitely nothing I can do to fix the problem at the AP side...
I'm running an EVO 4g with CM7, and have no problems with any other wifi APs, just the one at work.

Related

[Q] Enterprise Wi-fi connection problem

ok, so my wifi works great, however, when i try to connect to the wifi on my schools campus, it says networks are available, but then none show up in the settings.
my school uses long range Xirrus access points that use enterprise encryption. i am able to connect using my android phone which is running 2.2, but no access point show up for me to connect to on my GTab.
i downloaded wi-fi analyzer and all the APs show up, typically with great signal strength. i find it strange that the GTab's wifi card can pick up the signal but it will not allow me to connect to the APs. i would like to fix this problem so that i can use my GTab at school!
im running TnT Lite 4.3.2 with Clemysyn's Kernel v. 9.
This is likely a stock issue -- enterprise encryption = ? MSCHAP v2? TKIP? PEAP? Any certificates required?
If you get the details, you might want to pass this onto Viewsonic CS, although I suspect that they will say that this device is not meant for Enterprise networks. As for TNT Lite, it follows stock as far as Wifi (with the exception of ad-hoc, of course). I'm not sure of mods like VEGAn have better support for Enterprise networks, however -- anyone have any idea?
they use WPA2-Enterprise encyption with PEAP authentication. no certificates are manually added, it just requires username and login at initial connection.
sadly i never tried connecting before i flashed your rom, but it sounds like you are correct. i will definitely pass this on to ViewSonic CS.
thanks roebeet.

[SOLVED] touchpad 802.11X enterprise+certificate wifi connectivity

One of the corner cases it seems HP did not design into webOS is the ability to auto negotiate a full 802.11X connection. I managed to fix this though and my touchpad is happily connected to our office wi-fi and I figure anyone else trying this might want to check out the workaround I managed.
When I attempted to configure my touchpad to connect to an office/enterprise access point, I hit a brick wall where after completing all the required steps. It was able to use the current user credentials and get to the access point itself, but failed out with a "warning, no certificate is found for this network, please contact your network administrator" type of message.
Well of course no one in our IT group had ever so much as seen WebOS and ultimately I was left to fend for myself.
The goal here is to successfully transfer the (normally auto-retrieved) 802.11X signing certificate to the touchpad so that it can properly connect to your corporate/enterprise wireless network. On other devices such as android this seems to all be automated, but on the touchpad a significant amount of manual arm-wringing was needed to get it to all work together.
Step 1: Getting a root security certificate for your company.
There are a few guides out there for various operating systems/devices which you can use. Since my office machine was windows 7, thats what I have direct experience with.
Win7 Has a built in certificate management tool, but it is not listed in any of the menus. To get to it, enter certmgr.msc into the run panel and it will open up this handy dandy little tool.
Once you have that tool open, look into the root certificate authority folder and find your company's enterprise certificate. Hopefully it will be fairly easy to spot, i.e. if you work at company with domain X, you should see something like "X Enterprise CA".
Right click this certificate and select "All Tasks->Export" which will bring up a wizard with a few different certificate formats. After much trial and error, I found that the only one the touchpad seemed to natively understand was the "Base-64 encoded X.509". Finish the export with a file name and you can find it in your default user folder.
Step 2: Transfer this file to your touchpad
This one is a no brainer, just connect the touchpad via usb to your machine where you have this file, and drag it over.
Step 3: Importing the new certificate
All you need here is any webos file manager capable of opening a file. I used Gemini File Manager, but several free ones are also available and should work.
Open the file manager app on your touchpad, and run that certificate file. This will open a certificate manager tool on the touchpad and prompt you to trust this new certificate. Once you select to trust it, it will be brought into the system and available to use for 802.11x authentication.
Step 4: Connecting to the network
At this point all you should have to do is connect to the office wireless that was giving you trouble before, and now after giving all your authentication info it should successfully connect and offer full connectivity
It seems a little convoluted but it is awfully nice to have the touchpad be fully on-line and available around the office and you only have to do it the one time, successive connections should all just work.
I've tried this at my University, but it doesn't work for my exact situation. Hopefully it will work for others too. Kudos for figuring it out! As for me, apparently WPA2 Enterprise PEAP MSCHAPV2 is a no go until the WebOS team will update/fix it....
I managed to get connected to my MS corp wireless, but will actually see if I have network connectivity a bit later (and update this thread).
its given me full connectivity here (I'm writing this on my touchpad on the enterprise WiFi right now). Its also worked for several other people here lucky enough to score one as well.
the biggest sticking point was getting the right certificate in the right (touchpad working ) format. Once I managed to get that file simply sending it around helped everyone else here get going in a couple minutes vs a couple hours it took when I was trying to sort it all out.
We use 802.1x at work without server certs. Just peap and mschap v2. I haven't had any luck connecting though. Anyone else been able to?
Looks like PEAP support is a major sticking point.
There's a tutorial here: http://www.webos-internals.org/wiki/Advanced_Wifi
(I changed some of the script as per the thread I got the link from here: http://forums.precentral.net/hp-touchpad/288229-wifi-enterprise-802-1x.html)
I tracked down the ARM wpa_supplicant package here: http://packages.debian.org/squeeze/armel/wpasupplicant/download
And the libreadline.so.6 package here:
http://packages.debian.org/squeeze/armel/libreadline6/download
.DEB packages just have .TAR files inside them so I extracted what I needed using 7Zip and used WebOSQuickInstall to copy the files to the TP.
Even after following the other directions though, I consistantly get an error saying:
Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory
Not having much luck...
what's odd is our network looks like it does have peap set but with this certificate its working on the touchpad just fine.
it uses our exchange login info with a slightly off domain but even that has not thrown it.
The exact network configuration visible in the windows properties for the wireless link here is as follows:
Security: WPA2-Enterprise
Encryption: AES
Network Authentication: PEAP
Validate Server Certificate
Secured Password (EAP-MSCHAPv2) (Automatically use windows login/pass/domain)
Fast Reconnect
I haven't had luck with anything so far.
Is anyone willing to make a patch to fix the MSCHAPv2 problems? I'm willing to donate to your cause if I can my TouchPad to connect to my school's wireless, as it's essentially useless right now.
The network here uses WPA-Enterprise (not WPA2), and PEAP with password authentication only (no cert needed - as far as I'm aware it doesn't issue one to the phone).
I managed to get the TP to say "no network with that name and security method" found when I had the protocol set to IEEE801X, it doesn't do it when I set it to WPA-EAP though.
Essentially, using (what I believe to be) the exact same settings that work with my SGS2, doesn't work with the TouchPad.
It looks like at best the enterprise stuff is kinda half baked. If you need a certificate, webos is capable of *using* one, but not generating it. If its non certificate based, it seems to just fail out entirely.
Have you guys who are having the failures had luck with other devices like laptops etc? if so, what are the settings used to establish that successful connection? It seems like the touchpads are *capable* of mantaining peap/mschapv2 connections, as that is the setup my office uses, but for some reason without the certificate requirement it just is glitching out and won't establish the connection in the first place
eltee said:
It looks like at best the enterprise stuff is kinda half baked. If you need a certificate, webos is capable of *using* one, but not generating it. If its non certificate based, it seems to just fail out entirely.
Have you guys who are having the failures had luck with other devices like laptops etc? if so, what are the settings used to establish that successful connection? It seems like the touchpads are *capable* of mantaining peap/mschapv2 connections, as that is the setup my office uses, but for some reason without the certificate requirement it just is glitching out and won't establish the connection in the first place
Click to expand...
Click to collapse
My Windows7 laptop and my WP7 Samsung Focus both securely connect to the network fine. My TouchPad is the first device I've ever heard of having issues connecting.
Hell, my roommate even has his PS3 and XBOX connected.
Thanks OP! Method works on Swansea University Eduroam.
bump now that we have a 3.03/04 update
anyone know if it worked?
Installed the WiFi Certificate but still no luck.
Any other workarounds out there?
Just updated (manually) to the leaked 3.0.3 version and it's resolved the Enterprise Wifi connection issue.
Confirmed, my WiFi works. Enterprise mschapv2 PEAP without certificate. 3.0.3. Now I can leave my laptop at home and use splashtop if I need anything.. *rock on*
I can also confirm that the certificate issue has been solved in 3.03, but now I can't set a proxy, has anyone been able to?
PEAP/MSCHAPv2 fixed with "official" 3.04 OTA too
PEAP/MSCHAPv2 authentication has stayed fixed with the official 3.04 OTA update.
I've just checked that I can connect to an eduroam connection configured this way at a UK university, which the TouchPad couldn't do before.
professordes said:
PEAP/MSCHAPv2 authentication has stayed fixed with the official 3.04 OTA update.
I've just checked that I can connect to an eduroam connection configured this way at a UK university, which the TouchPad couldn't do before.
Click to expand...
Click to collapse
awesome news, I will be testing mine out today when I get to school.
update: I was able to connect at my school, but I had to uncheck the cert box to get it to work.
Yup, i removed my custom certificate on 3.04 and re-joined the access point. It had some new options about authentication built in and sure enough just worked, no issues.
Looks like the little crazy work-around won't be needed anymore

[Q] 4G connection to POP3 used ipv6?

This morning I was confronted with something weird. My phone all of a sudden could not connect to a remote VPS server via POP3. It would just say No Connection.
The same phone however could connect to everything else, including other services on the same remote server. And, it could connect to other servers using POP3. If I switched to WiFi, it then connected just fine.
Drove me nuts trying to figure out what the issue.
Obvious things were checked, firewall, pop3 server etc... to no avail...
So finally, I figured that Verizon was having some weird 4G problem related to port 110.. I had the POP3 server, listen on a secondary port... Still nada...
While looking at the POP3 Server configs, I saw that they now had support for ipv6, but that by default it didn't listen to them. So I changed the configuration and bang.... the phone connected...
It was apparently trying to connect to ipv6 since the time I found it was failing.
Wonder if anyone has run into this.... Looking at the logs, my phone is the ONLY device connecting via ipv6, everything else is using ipv4.
Well this turned out to be pretty simple.
IF you publish an AAAA record for a host, and you are using Verizon 4G, it will use the AAAA entry for the host in liu of the AA record.
In my case, this had surprising results that once I figured it out made sense, but at the time caused a lot of confusion as to what was the trigger for the action that was taking place.
krelvinaz said:
Well this turned out to be pretty simple.
IF you publish an AAAA record for a host, and you are using Verizon 4G, it will use the AAAA entry for the host in liu of the AA record.
In my case, this had surprising results that once I figured it out made sense, but at the time caused a lot of confusion as to what was the trigger for the action that was taking place.
Click to expand...
Click to collapse
Yes.. you learned the hard way that LTE was rolled out with native IPv6 (and preferred stack too). Pretty smart to setup a new network using IPv6 and save us the headaches of upgrading later after the fact...

[Q] Wifi Networks Redirect Issue

I've only had the phone a few hours but I'm at a university that requires DHCP registrations, and my LTEvo will not redirect to the registration page. I've tried this through both the stock browser and Chrome, tried redirects, manually typing in the URL, and even connecting to it through 3G, logging in and then trying to register. Is anyone having similar issues at other universities/coffee shops that require a registration or redirect? I verified that I have a valid, unregistered IP on the network.
Issue resolved after installing viperROM. If anyone can address the issue on the stock ROM, this post could be helpful!
I'm currently having this problem at work (hospital). Its been working fine since I got the phone, but today it wont redirect.
My co-workers GNex and BB works though
I figured it out. When 'Best Wi-fi Performance' is checked, I'm actually unable to pull any connection from the university. Disabling it restores connectivity. I'll look into it with the wireless team here.
Same issue with me test at Arby's and McDonalds free Wifi Hotspots.
No Redirect, no web.
Best Performance *IS NOT* checked on mine as it has cause issues for me else where.

Randomized MAC address blocks wifi access

Samsung Galaxy S10e, Android 10 stock.
I am currently a patient at an acute care facility and I use the public Wi-Fi here. Recently, changes were made to the Wi-Fi here, I understand that a new router was installed. Since then, I have been trying to access the Wi-Fi with the correct password, but I get a message that sign in is required and when I click it, I am forwarded to a page that does not load. If I select the menu option to use network as is, I seem to be connected but have no access.
In the past, when accessing this Wi-Fi, I was forwarded to a web page where I had to click a button, and then got access. That page has been gone for quite some time now and the Wi-Fi connected without any issues
Others accessing the Wi-Fi do not seem to have this issue. I tried numerous things to fix this issue, such as deleting the Wi-Fi connection and re-enabling it and resetting the network connection. The only thing that I found that resolves this issue is turning off the randomization of the MAC address and setting it to use the phone Mac address.
For privacy reasons, I would prefer to use the randomized MAC address. If for some reason my phone is being blocked on this network, which is the only thing I can think of, in my limited knowledge of how this works, it would seem my phone Mac address would it be blocked but not a randomized MAC address, because it changes.
My old Galaxy S4 running CyanogenMod Android 6 connects to the Wi-Fi fine, but I don't believe the MAC address is randomized on Android 6, if this is the reason, though this seems unlikely to me as every newer phone would have an issue, since they randomize the MAC address by default
Can anyone supply me any info on this?
@rsngfrce
If the randomized MAC address ( e.g. 32:8c:27:26:72:34 ) doesn't contain the original OEM code in its first 6 hex-numbers you might face a lot of authentication issue.
jwoegerbauer said:
@rsngfrce
If the randomized MAC address ( e.g. 32:8c:27:26:72:34 ) doesn't contain the original OEM code in its first 6 hex-numbers you might face a lot of authentication issue.
Click to expand...
Click to collapse
Thanks for your reply. The phone is doing the randomizing as a function of Android and I would have to assume that it would maintain the original OEM code in its first six hex-numbers if this is required (and I have read about that issue). I never had this issue until the new router was installed and I am unaware of anyone else having an issue.

Categories

Resources