[FIX] SSL handling

owncloudApp/src/main/java/com/owncloud/android/ui/dialog/SslUntrustedCertDialog.java

@@ -82,7 +82,9 @@ public static SslUntrustedCertDialog newInstanceForFullSslError(CertificateCombi
             throw new IllegalArgumentException("Trying to create instance with parameter sslException == null");
         }
         SslUntrustedCertDialog dialog = new SslUntrustedCertDialog();
-        dialog.m509Certificate = sslException.getServerCertificate();
+        dialog.m509Certificate = sslException.getSslPeerUnverifiedException() == null
+                ? sslException.getServerCertificate()
+                : null;
         dialog.mErrorViewAdapter = new CertificateCombinedExceptionViewAdapter(sslException);
         dialog.mCertificateViewAdapter = new X509CertificateViewAdapter(sslException.getServerCertificate());
         return dialog;
@@ -144,6 +146,12 @@ public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle sa
         Button cancel = mView.findViewById(R.id.btnCancel);
         cancel.setOnClickListener(new OnCertificateNotTrusted());
 
+        if (m509Certificate == null) {
+            ok.setText(android.R.string.ok);
+            mView.findViewById(R.id.question).setVisibility(View.GONE);
+            cancel.setVisibility(View.GONE);
+        }
+
         Button details = mView.findViewById(R.id.details_btn);
         details.setOnClickListener(new OnClickListener() {
 
@@ -219,6 +227,8 @@ public void onClick(View v) {
                     ((OnSslUntrustedCertListener) activity).onFailedSavingCertificate();
                     Timber.e(e, "Server certificate could not be saved in the known-servers trust store ");
                 }
+            } else if (mHandler == null) {
+                ((OnSslUntrustedCertListener) getActivity()).onCancelCertificate();
             }
         }
 

owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpClient.java

@@ -28,6 +28,7 @@
 
 import com.owncloud.android.lib.common.http.logging.LogInterceptor;
 import com.owncloud.android.lib.common.network.AdvancedX509TrustManager;
+import com.owncloud.android.lib.common.network.KnownServersHostnameVerifier;
 import com.owncloud.android.lib.common.network.NetworkUtils;
 import okhttp3.Cookie;
 import okhttp3.CookieJar;
@@ -125,7 +126,7 @@ private OkHttpClient buildNewOkHttpClient(SSLSocketFactory sslSocketFactory, X50
                 .connectTimeout(HttpConstants.DEFAULT_CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS)
                 .followRedirects(false)
                 .sslSocketFactory(sslSocketFactory, trustManager)
-                .hostnameVerifier((asdf, usdf) -> true)
+                .hostnameVerifier(new KnownServersHostnameVerifier(mContext))
                 .cookieJar(cookieJar)
                 .build();
     }

owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/network/AdvancedX509TrustManager.java

@@ -84,11 +84,16 @@ public void checkClientTrusted(X509Certificate[] certificates, String authType)
         mStandardTrustManager.checkClientTrusted(certificates, authType);
     }
 
+    public static final ThreadLocal<X509Certificate> sLastCert = new ThreadLocal<>();
+
     /**
      * @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],
      * String authType)
      */
     public void checkServerTrusted(X509Certificate[] certificates, String authType) {
+        if (certificates != null && certificates.length > 0) {
+            sLastCert.set(certificates[0]);
+        }
         if (!isKnownServer(certificates[0])) {
             CertificateCombinedException result = new CertificateCombinedException(certificates[0]);
             try {

owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/network/KnownServersHostnameVerifier.java

@@ -0,0 +1,63 @@
+/**
+ * ownCloud Android client application
+ *
+ * Copyright (C) 2026 ownCloud GmbH.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package com.owncloud.android.lib.common.network;
+
+import android.content.Context;
+
+import okhttp3.internal.tls.OkHostnameVerifier;
+import timber.log.Timber;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+public class KnownServersHostnameVerifier implements HostnameVerifier {
+
+    private final Context mContext;
+    private final HostnameVerifier mDelegate;
+
+    public KnownServersHostnameVerifier(Context context) {
+        this(context, OkHostnameVerifier.INSTANCE);
+    }
+
+    KnownServersHostnameVerifier(Context context, HostnameVerifier delegate) {
+        if (context == null) {
+            throw new IllegalArgumentException("Context may not be NULL!");
+        }
+        mContext = context.getApplicationContext() != null ? context.getApplicationContext() : context;
+        mDelegate = delegate;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+        if (mDelegate.verify(hostname, session)) {
+            return true;
+        }
+        try {
+            Certificate[] peerCerts = session.getPeerCertificates();
+            if (peerCerts.length > 0 && peerCerts[0] instanceof X509Certificate) {
+                return NetworkUtils.isCertInKnownServersStore(peerCerts[0], mContext);
+            }
+        } catch (SSLPeerUnverifiedException e) {
+            Timber.d(e, "No peer certificates during hostname verification for %s", hostname);
+        }
+        return false;
+    }
+}

owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/network/NetworkUtils.java

@@ -94,4 +94,16 @@ public static void addCertToKnownServersStore(Certificate cert, Context context)
         }
     }
 
+    public static boolean isCertInKnownServersStore(Certificate cert, Context context) {
+        if (cert == null || context == null) {
+            return false;
+        }
+        try {
+            return getKnownServersStore(context).getCertificateAlias(cert) != null;
+        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException e) {
+            Timber.e(e, "Fail while checking certificate in the known-servers store");
+            return false;
+        }
+    }
+
 }

owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/operations/RemoteOperationResult.java

@@ -32,6 +32,7 @@
 import com.owncloud.android.lib.common.accounts.AccountUtils;
 import com.owncloud.android.lib.common.http.HttpConstants;
 import com.owncloud.android.lib.common.http.methods.HttpBaseMethod;
+import com.owncloud.android.lib.common.network.AdvancedX509TrustManager;
 import com.owncloud.android.lib.common.network.CertificateCombinedException;
 import okhttp3.Headers;
 import org.apache.commons.lang3.exception.ExceptionUtils;
@@ -148,6 +149,13 @@ public RemoteOperationResult(Exception e) {
 
         } else if (e instanceof SSLException || e instanceof RuntimeException) {
             if (e instanceof SSLPeerUnverifiedException) {
+                java.security.cert.X509Certificate lastCert = AdvancedX509TrustManager.sLastCert.get();
+                AdvancedX509TrustManager.sLastCert.remove();
+                CertificateCombinedException sslPeerUnverifiedException =
+                        new CertificateCombinedException(lastCert);
+                sslPeerUnverifiedException.setSslPeerUnverifiedException((SSLPeerUnverifiedException) e);
+                sslPeerUnverifiedException.initCause(e);
+                mException = sslPeerUnverifiedException;
                 mCode = ResultCode.SSL_RECOVERABLE_PEER_UNVERIFIED;
             } else {
                 CertificateCombinedException se = getCertificateCombinedException(e);