Certificate Trust - Synology


#1

I’m running OmniPresence on my Synology DiskStation. I have an SSL certificate (purchased through a registrar - Namecheap). All my web browsers can connect to the Synology just fine, without any security errors (I get the green bar using https in Safari, Chrome, and Firefox). Using OmniOutliner on the iPad, though, I get this error every time I connect:

Certificate Trust
The server certificate for “pretendname.com” does not seem to be valid. This site may not be trustworthy. Would you like to connect anyway?"

I have to click “Continue” every time. This seems to also be preventing background sync.

Any ideas? Is there any way to always trust this server, so I don’t get prompted?

Thanks for any help


#2

I believe the underlying issue here is that iOS 9’s App Transport Security (ATS) is more strict in its default configuration than web browsers are. We’ve tried to relax those restrictions somewhat in OmniPresence to allow you to connect to arbitrary servers, but they’re still not as relaxed as what web browsers allow.

If you have access to OS X, you could try using nscurl to see exactly what ATS thinks is wrong with the connection. Quoting from a useful blog post by Tim Ekl (one of our developers):

While CFNETWORK_DIAGNOSTICS can be quite handy, its output can also be somewhat cryptic, and it’s a bit of a hassle to pull the log file off an iOS device. If you have access to an OS X machine running 10.11 or later, the command-line utility nscurl provides some basic ATS debugging capabilities. Simply open a Terminal and run:

nscurl --ats-diagnostics https://example.com

The tool will run through several different combinations of ATS exceptions, trying a secure connection to the given host under each ATS configuration and reporting the result. The ATS configuration changes made by nscurl include:

  • Turning on the “allow arbitrary loads” flag
  • Dropping the minimum required TLS version to 1.1, then 1.0
  • Removing the Perfect Forward Secrecy (PFS) requirement

Including the --verbose flag alongside --ats-diagnostics causes nscurl to also output the exact ATS configuration dictionary being used for each connection, as well as the error returned in its internal NSURLSessionDelegate implementation.

If you can’t resolve this on your end (for example, if the Synology allows TLS 1.0 connections which ATS considers insecure), this might be something we need to fix OmniOutliner.


#3

Thank you for the reply. I used nscurl in Terminal from both within and without the network. I pointed it to https://example.com:1000, where example.com is my Synology, and 1000 is the port forwarded to WebDAV. I’m not 100% sure what I’m looking for, but I got all “PASS” results (13 in total).

I did just notice I’m getting an untrusted certificate warning from OmniPresence on OS X, too. That gives me the option to trust it.

I’m sure it’s quite possible I set up my certificates incorrectly, but I’m not getting errors in any browsers.

One thing I should note, is that I recently switched from a self-signed certificate to a certificate from a registrar that I then installed on the Synology. Is there any sort of caching issue with certificates, where I should go back and delete my OmniPresence connections and redo them?