Misleading certificate warning on expired cert

[madduck]

When the server cert expires, the warning shown on the android client is misleading, suggesting that the certificate has changed, which it has not.

[tanius]

This is still an issue as of today. The warning message has changed somewhat since February, but still gives the impression that the certificate was exchanged.

In addition, the warning message has several other issues:

• It says "Could not verify identity of remote server", but not which server is affected by this. As a user, and even as an admin, it is not clear if this is about the Matrix homeserver (which it is, after all) or about the identity server or maybe about riot.im … who knows if the mobile app might have to contact that server, too.

• It says "This could mean that someone is maliciously intercepting your traffic, or that your phone does not trust the certificate provided by the remote server." Probably better would be: "This means that your mobile device does not trust the certificate it received about the remote server's identity, because the certificate has expired." Certificate expiry does not indicate a hacking attack, except if the certificate was exchanged for an already expired one that a hacker might have obtained.

[bzp99]

I am confused as it seems that I am getting the same message with a Let’s Encrypt certificate that is certainly not expired:

~ $ openssl s_client -connect matrix.bp99.eu:443 2>/dev/null | openssl x509 -noout -dates 2>&1 | grep not[BA]   
notBefore=May 22 22:48:48 2021 GMT
notAfter=Aug 20 22:48:48 2021 GMT