In the last weeks I started to migrate several cloud-based services I used to my own server. The motivation behind it was the discontinuation of Google Reader (btw Tiny Tiny RSS is an excellent replacement), another one the general indisposition in storing my personal data on foreign servers - but that's not the topic of this post ;-)
After the RSS reader the next targets were my calendar and contacts. I decided to use Horde and its integrated ActiveSync support to synchronise with my mobile devices. I tried to configure the Horde installation as Exchange account on my Android devices and here the problem began - the certificate was not accepted. I tried several different constellations: self-signed, own root ca imported in the trust store or even integrated in the system store in /etc/ssl/cacerts and finally an "official" certificate from StartSSL. All attempts failed.
An advice I've often seen in the Internet while searching a solution was the activation of the "Accept all SSL certificates" option - not the solution someone wants who cares about security. It makes the usage of TLS/SSL almost pointless. After reading some forum postings regarding certificate issues it seems that this advice is followed even in some corporate environments. I'm quite sure there is a number of mobile devices out here, which don't care about the identity of their Exchange or ActiveSync server. Definitely a point pentesters should check while auditing the security of mobile devices of their customers.
Finally Wireshark helped me to find the cause of the issue. The Android ActiveSync client doesn't uses the TLS server name indication extension to communicate with the ActiveSync endpoint, such that the web server can't choose the correct certificate and picks the default one, which was an unexpected certificate in my case.