I migrated all our users to bes 5.04 and I have since had a few reports from users that https websites are no longer working. After looking in the problem it appears to be a relatively common problem. I found these related KB

hxxp://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB20833

hxxp://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB22536

I have tried to enable "Allow untrusted servers Yes" on the mds https settings. But this has not resolved the problem.

The question I have with this problem is why is it occurring to begin with? I am getting this error when going to hotmail.com but not paypal.com.

Obviously I would prefer not to allow untrusted https connections but I would have hoped the bes would be smart enough to recognise a valid cert from an invalid cert.

Is there a better solution to this problem that I have might have overlooked? because the KB I posted do not resolve the problem. Even after applying the suggested fix i still get cert errors on the devices when trying to access hotmail.com

edit: just found this kb hxxp://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB27716

Looks like it might be a known issue under investigation. hmm.

I think this might be specific to blackberry browser. The blackberry browser is not configured to distinguish between self signed and non self signed certificates only like desktop browsers. But it is configured to detect mismatches between the common name of the certificate and the domain name.

For example hotmail.com which has a common name of login.live.com is not detected by desktop browsers as a need for a security prompt. But on the bb browser it triggers the prompt.

Maybe the question should be how to configure the policy for client side ssl parsing to only warn on non signed certificates and not common name irregularities.