On the evening of Friday, February 13th, UITS discovered that the myUConn app class schedule module was malfunctioning on Android devices. Research into the problem revealed that an update to the Android operating system prevented these devices from validating the SSL certificate, which is part of the myUConn service. The University’s InCommon SSL Certificate service, used by systems that interface with the myUConn app, allows University IT staff to generate an unlimited number of third party signed SSL certificates. However, because InCommon is an Intermediate Certificate Authority, which signs SSL certificates on behalf of Comodo, strict validation of its certificates requires an intermediate certificate. UITS corrected this problem by adding the InCommon intermediate certificate to the myUConn service, and full functionality for Android devices was successfully restored by Saturday morning.
Many clients have a somewhat loose validation process and directly accept the InCommon certificates. Up until recently, this included the client on Android devices. UITS believes that stricter SSL validation on the client side will be an industry trend and if actions are not taken, applications relying only on intermediate SSL certificates will increasingly fail over time. To avoid future outages, UITS will be adding the InCommon intermediate certificate to all of our services that rely on InCommon SSL certificates, and we recommend that our university partners do this as well. To assist you in this effort, we have made the UITS SSL standard available at http://security.uconn.edu/uits-ssltls-standards/.