Device get wrong certificate

Hi,

Not sure wether this is actually a GroupWise Mobile device server problem.

Setup:
Running the GroupWise Mobile server 2.01. Dashboard looking ok; everything green en synced. Great.
Using the default ssl poort 443. The router is a Vigor Draytek 2880n which has 443 open en connects to the local IP of the datasync server (or is it GroupWise Mobile server).

When I try to connect with an android device or iPhone I get the the message that there is a problem with the certificate. This usually happends, as whe rarely use an official certicate. Normally it will work anyway. Not this time however.

Examening the certificate indicates that the owner is the.. Draytek device. This puzzles me as we have dozens of setups running with the same hardware. But the phone wil ofcourse not sync in this case.

Using a FireWall entry 443 which connect to the local server of using the Port Adress Translatation feature in the gateway doen not make a difference.

Again not sure if it related to the DS server itself. But I'm sure that someone has a bright idea how to solve this.

Thanks in advance .

Eric Loderichs
  • Eloderichs,
    > Examening the certificate indicates that the owner is the.. Draytek
    > device.


    That would indicate that the router and not the GMS server is answering
    the request in this case.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    http://www.novell.com/rms

  • If the box to which you are pointing your devices is doing some kind of
    SSL termination (meaning it is the SSL server and then it establishes
    another connection to the backend for the client, usually for purposes of
    inspection of traffic or to remove the need for SSL on the backend
    entirely) then you'll need to fix that device. You can see the same
    results as on the phones if you connect to the same IP/port using
    something like openssl (note that connecting to something like this often
    depends on DNS, and often DNS has different entries for clients
    inside/outside the organization, so be sure you're hitting the same system
    when doing this test or else it is an invalid test from the start):


    openssl s_client -connect ip.addr.goes.here:443 -showcerts | openssl x509
    -text


    In my opinion, the chances of this showing anything different are terribly
    small, but at least this is an easy way you can test from any old Linux
    system (or system with Cygwin installed for those stuck on an inferior
    option) which is usually a better place for troubleshooting than a phone.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • ab;2342843 wrote:
    If the box to which you are pointing your devices is doing some kind of
    SSL termination (meaning it is the SSL server and then it establishes
    another connection to the backend for the client, usually for purposes of
    inspection of traffic or to remove the need for SSL on the backend
    entirely) then you'll need to fix that device. You can see the same
    results as on the phones if you connect to the same IP/port using
    something like openssl (note that connecting to something like this often
    depends on DNS, and often DNS has different entries for clients
    inside/outside the organization, so be sure you're hitting the same system
    when doing this test or else it is an invalid test from the start):


    openssl s_client -connect ip.addr.goes.here:443 -showcerts | openssl x509
    -text


    In my opinion, the chances of this showing anything different are terribly
    small, but at least this is an easy way you can test from any old Linux
    system (or system with Cygwin installed for those stuck on an inferior
    option) which is usually a better place for troubleshooting than a phone.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...


    Ok thanks. I've been looking to the Draytek config in detail but cannot find anything. Trouble is that has a site 2 site connection up and running to a 2nd location which makes it hard just to clear/ reboot / reconfigure it. Beyond the fact that we don't maintain this device for thsi customer. Maybe just connecting the phone to the wireless LAN and then see when i put a local adress in it. Will have to create a split DNS anyway.