Android SSL No peer certificate

Question

I've got an exception: No peer certificate

When I'm asking google, then i get solution, where i'm trusting all certificates. But answers of this question are, it's insecure.

So I called the class:

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
           HttpClient client = new DefaultHttpClient();

           SchemeRegistry registry = new SchemeRegistry();
           SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
           socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
           registry.register(new Scheme("https", socketFactory, 443));
           SingleClientConnManager mgr = new SingleClientConnManager(client.getParams(), registry);
           DefaultHttpClient httpClient = new DefaultHttpClient(mgr, client.getParams());

           HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
           Log.v("URL:", Url[0]);
           HttpPost post = new HttpPost(Url[0]);  
           post.addHeader("Username", Url[1]);
           post.addHeader("Passwort", Url[2]);
           HttpResponse getResponse = httpClient.execute(post); //Wirft Exception
           HttpEntity responseEntity = getResponse.getEntity();
           UserID = Integer.parseInt(responseEntity.getContent().toString());

This is my class:

class MyHttpClient extends DefaultHttpClient {

final Context context;

public MyHttpClient(Context context) {
    this.context = context;
}

@Override
protected ClientConnectionManager createClientConnectionManager() {
    SchemeRegistry registry = new SchemeRegistry();
    registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
    // Register for port 443 our SSLSocketFactory with our keystore
    // to the ConnectionManager
    registry.register(new Scheme("https", (SocketFactory) newSslSocketFactory(), 443));
    return new SingleClientConnManager(getParams(), registry);
}

private SSLSocketFactory newSslSocketFactory() {
    try {
        // Get an instance of the Bouncy Castle KeyStore format
        KeyStore trusted = KeyStore.getInstance("BKS");
        // Get the raw resource, which contains the keystore with
        // your trusted certificates (root and any intermediate certs)
        InputStream in = context.getResources().openRawResource(R.raw.mykey);
        try {
            // Initialize the keystore with the provided trusted certificates
            // Also provide the password of the keystore
            trusted.load(in, "PASSWORT".toCharArray());
        } finally {
            in.close();
        }
        // Pass the keystore to the SSLSocketFactory. The factory is responsible
        // for the verification of the server certificate.
        SSLSocketFactory sf = new SSLSocketFactory(trusted);
        // Hostname verification from certificate
        // [url=http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506]Chapter2.Connection management[/url]
        sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
        return sf;
    } catch (Exception e) {
        throw new AssertionError(e);
    }
}

}

Answer 1

I've discovered another possible cause of the SSLPeerUnverifiedException : No Peer Certificate

If your emulator is running with a date that is earlier than when the certificate was created you'll likely come across this exception.

The certificate in my case was validated on the 10th July, but the emulator had a current date of 7th May.

I have no idea why my emulator had its date set to 7th May since it was supposed to be getting the time from the network, but that's an issue for another time.

Just thought I should share that in case it helps anyone else avoid wasting a couple of days faffing around.

Answer 2

Blindly trusting all certs sounds like a really bad idea. You really should try to find the cause of this problem. I got the same error on an older Android device running 2.3.3 (newer Android versions worked without any problem, as did iOS devices):

javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

After reading several different related questions on SO I came to the conclusion that this can happen for two (maybe more?) reasons:

• Improper installation of an intermediate certificate (verify certs using https://www.digicert.com/help/index.htm)
• Incorrect ordering of the certificate chain

In my case it was an incorrect ordering of certificates. As an example I'm posting the cert order from this question with the insightful answer from user bdc. You can get the certificate ordering by doing the following from a terminal:

openssl s_client -connect eu.battle.net:443

(obviously replacing eu.battle.net with your own server). In the case of eu.battle.net at that time the order was:

Certificate chain
 0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

While it should have been:

Certificate chain
 0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

The rule is that the issuer of cert "n" in the chain should match the subject of cert "n+1".

Once I found the problem it was trivial to change the cert order on the server and things immediately started working on the Android 2.3.3 device. I guess it's good that older Android versions are a bit pesky about cert order, but it was also a nightmare since newer Android versions reorder the certs automatically. Hell, even an old iPhone 3GS worked with certs out of order.