I'm trying to make HTTPS connections, using HttpClient
lib, but the problem is that, since the certificate isn't signed by a recognized Certificate Authority (CA) like Verisign,GlobalSIgn, etc., listed on the set of Android Trusted Certificates, I keep getting javax.net.ssl.SSLException: Not trusted server certificate
.
I've seen solutions where you simply accept all certificates, but what if I want to ask the user?
I want to get a dialog similar to that of the browser, letting the user decide to continue or not. Preferably I'd like to use the same certificatestore as the browser. Any ideas?
The following main steps are required to achieve a secured connection from Certification Authorities which are not considered as trusted by the android platform.
As requested by many users, I've mirrored the most important parts from my blog article here:
java.net.ssl.HttpsURLConnection
(easier to understand, more performant)Grab the certs
You have to obtain all certificates that build a chain from the endpoint certificate the whole way up to the Root CA. This means, any (if present) Intermediate CA certs and also the Root CA cert. You don’t need to obtain the endpoint certificate.
Create the keystore
Download the BouncyCastle Provider and store it to a known location. Also ensure that you can invoke the keytool command (usually located under the bin folder of your JRE installation).
Now import the obtained certs (don’t import the endpoint cert) into a BouncyCastle formatted keystore.
I didn’t tested it, but I think the order of importing the certificates is important. This means, import the lowermost Intermediate CA certificate first and then all the way up to the Root CA certificate.
With the following command a new keystore (if not already present) with the password mysecret will be created and the Intermediate CA certificate will be imported. I also defined the BouncyCastle provider, where it can be found on my file system and the keystore format. Execute this command for each certificate in the chain.
Verify if the certificates were imported correctly into the keystore:
Should output the whole chain:
Now you can copy the keystore as a raw resource in your android app under
res/raw/
Use the keystore in your app
First of all we have to create a custom Apache HttpClient that uses our keystore for HTTPS connections:
We have created our custom HttpClient, now we can just use it for secure connections. For example when we make a GET call to a REST resource.
That's it ;)
Google recommends the usage of Android Volley for HTTP/HTTPS connections, since that
HttpClient
is deprecated. So, you know the right choice :).And also, NEVER NUKE SSL Certificates (NEVER!!!).
To nuke SSL Certificates, is totally against the purpose of SSL, which is promoting security. There's no sense of using SSL, if you're planning to bomb all SSL certificates that comes. A better solution would be, not using SSL, or a better solution, would be creating a custom
TrustManager
on your App + using Android Volley for HTTP/HTTPS connections.Here's a Gist which I created, with a basic LoginApp, performing HTTPS connections, using a Self-Signed Certificate on the server-side, accepted on the App.
Here's also another Gist that may help, for creating Self-Signed SSL Certificates for setting up on your Server and also using the certificate on your App. Very important: you must copy the .crt file which was generated by the script above, to the "raw" directory from your Android project.
This is problem resulting from lack of SNI(Server Name Identification) support inA,ndroid 2.x. I was struggling with this problem for a week until I came across the following question, which not only gives a good background of the problem but also provides a working and effective solution devoid of any security holes.
'No peer certificate' error in Android 2.3 but NOT in 4
The first thing you need to do is to set the level of verification. Such levels is not so much:
Although the method setHostnameVerifier() is obsolete for new library apache, but for version in Android SDK is normal. And so we take
ALLOW_ALL_HOSTNAME_VERIFIER
and set it in the method factorySSLSocketFactory.setHostnameVerifier()
.Next, You need set our factory for the protocol to https. To do this, simply call the
SchemeRegistry.register()
method.Then you need to create a
DefaultHttpClient
withSingleClientConnManager
. Also in the code below you can see that on default will also use our flag (ALLOW_ALL_HOSTNAME_VERIFIER
) by the methodHttpsURLConnection.setDefaultHostnameVerifier()
Below code works for me:
Simplest way for create SSL certificate
Open Firefox (I suppose it's also possible with Chrome, but it's easier for me with FF)
Visit your development site with a self-signed SSL certificate.
Click on the certificate (next to the site name)
Click on "More information"
Click on "View certificate"
Click on "Details"
Click on "Export..."
Choose "X.509 Certificate whith chain (PEM)", select the folder and name to save it and click "Save"
Go to command line, to the directory where you downloaded the pem file and execute "openssl x509 -inform PEM -outform DM -in .pem -out .crt"
Copy the .crt file to the root of the /sdcard folder inside your Android device Inside your Android device, Settings > Security > Install from storage.
It should detect the certificate and let you add it to the device Browse to your development site.
The first time it should ask you to confirm the security exception. That's all.
The certificate should work with any browser installed on your Android (Browser, Chrome, Opera, Dolphin...)
Remember that if you're serving your static files from a different domain (we all are page speed bitches) you also need to add the certificate for that domain.
Maybe this will helpful... it works on java clients using self-signed certificates (there is no check of the certificate). Be careful and use it only for development cases because that is no secure at all!!
How to ignore SSL certificate errors in Apache HttpClient 4.0
Hope it will works on Android just adding HttpClient library... good luck!!