Android app does not check alternative domain names for https

I moved to using the Subject Alternative Name extension for my servers instead of common names, and instead used the common name to give a short description of the service protected by the certificate. Since then the seafile Android app started complaining about connections not being secured and I have to go and tell everyone just to ignore it if we are in our private network (defeating the purpose of using https).

Have any of you experienced a similar behavior? Is there any workaround besides the one I described?

I have the same problem with debian 9 and android 7.0.
Nginx uses an eliptic curve “ssl_ecdh_curve secp384r1” on debian 9. It is impossible to decrease this curve on Debian 9. Android 7.0 is only compatible with a curve “ssl_ecdh_curve prime256v1”. It is necessary to make an update in 7.1 or more on android to solve the problem

I found a temporary solution while waiting for the update 7.1 of my smartphone android. I added a cipher lower in the configuration of nginx seafile:

  • ssl_ecdh_curve prime256v1:secp384r1;
  • ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  • ssl_ciphers “DHE-RSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA;”;

You must add: DHE-RSA-AES256-SHA in the seafile configuration of nginx and the certificate is accepted by the seafile application on android 7.0

Here are the results on SSL Server Test (Powered by Qualys SSL Labs)
Before the addition of DHE-RSA-AES256-SHA

After the addition of DHE-RSA-AES256-SHA

That’s not my problem:

Chrome on android accepts the certificate:

I assume this is because the “Common Name” of the certificate is not the DNS name of the server. I declare all of the valid DNS names under the “Subject Alternative Name” fields, and Seafile for android completely ignores them

Issuer Name: "OID.1.2.840.113549.1.9.1=user1@10.205.57.195
OID.1.2.840.113549.1.9.1: is the ASN.1 object identifier used to identify this signature
algorithm. “user1@10.205.57.195” is the e-mail address of
issuer.

I am talking about this

Do you use seafile on a windows server?