Reputation: 933
Android SSL - No Peer Certificate
Whenever this code runs, I get a 'No Peer Certificate' error.
SSL certificate is valid, bought from Namecheap (PositiveSSL). It has the CA crt before it, and opens fine in the Android browser.
HTTP server: nginx
Code:
public void postData() {
// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
nameValuePairs.add(new BasicNameValuePair("string", "myfirststring"));
try {
HttpPost post = new HttpPost(new URI("https://example.com/submit"));
post.setEntity(new UrlEncodedFormEntity(nameValuePairs));
KeyStore trusted = KeyStore.getInstance("BKS");
trusted.load(null, "".toCharArray());
SSLSocketFactory sslf = new SSLSocketFactory(trusted);
sslf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme ("https", sslf, 443));
SingleClientConnManager cm = new SingleClientConnManager(post.getParams(),
schemeRegistry);
HttpClient client = new DefaultHttpClient(cm, post.getParams());
// Execute HTTP Post Request
@SuppressWarnings("unused")
HttpResponse result = client.execute(post);
} catch (ClientProtocolException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (URISyntaxException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (KeyStoreException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
Log.e(TAG,e.toString());
Log.e(TAG,e.getMessage());
} catch (KeyManagementException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
// TODO Auto-generated catch block
Log.e(TAG,e.getMessage());
Log.e(TAG,e.toString());
e.printStackTrace();
}
}
Adb logcat:
01-10 15:44:34.872: E/myfirstapp(572): No peer certificate
01-10 15:44:34.872: E/myfirstapp(572): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
01-10 15:44:34.883: W/System.err(572): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
01-10 15:44:34.883: W/System.err(572): at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
01-10 15:44:34.883: W/System.err(572): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
01-10 15:44:34.908: W/System.err(572): at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
01-10 15:44:34.908: W/System.err(572): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
01-10 15:44:34.908: W/System.err(572): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
01-10 15:44:34.914: W/System.err(572): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
01-10 15:44:34.914: W/System.err(572): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
01-10 15:44:34.914: W/System.err(572): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
01-10 15:44:34.914: W/System.err(572): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
01-10 15:44:34.914: W/System.err(572): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
01-10 15:44:34.933: W/System.err(572): at com.giggsey.myfirstapp.myfirstappIntent.postData(myfirstappIntent.java:126)
01-10 15:44:34.933: W/System.err(572): at com.giggsey.myfirstapp.myfirstappIntent.onReceive(myfirstappIntent.java:77)
01-10 15:44:34.933: W/System.err(572): at android.app.ActivityThread.handleReceiver(ActivityThread.java:2118)
01-10 15:44:34.945: W/System.err(572): at android.app.ActivityThread.access$1500(ActivityThread.java:122)
01-10 15:44:34.945: W/System.err(572): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1196)
01-10 15:44:34.952: W/System.err(572): at android.os.Handler.dispatchMessage(Handler.java:99)
01-10 15:44:34.952: W/System.err(572): at android.os.Looper.loop(Looper.java:137)
01-10 15:44:34.962: W/System.err(572): at android.app.ActivityThread.main(ActivityThread.java:4340)
01-10 15:44:34.962: W/System.err(572): at java.lang.reflect.Method.invokeNative(Native Method)
01-10 15:44:34.962: W/System.err(572): at java.lang.reflect.Method.invoke(Method.java:511)
01-10 15:44:34.972: W/System.err(572): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
01-10 15:44:34.972: W/System.err(572): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
01-10 15:44:34.981: W/System.err(572): at dalvik.system.NativeStart.main(Native Method)
Upvotes: 18
Views: 56491
Answers (9)
Reputation: 308
I have just recently gone through this problem. It wasn't the chain order that was the problem, but I have had that before.
What was the issue was that the server only accepts TLS1.2 socket connections. android 19 and lower default socket connection is TLS1 SSLSocket Docs
With the help of Enable TLS 1.2 in Android 4.4 I was able to get this to work. The question description worked for me. But please ensure that you do have the answer code in you application
Upvotes: 1
Reputation: 3086
Make sure you are using HttpsURLConnection instead of HttpURLConnection.
Upvotes: 0
Reputation: 11
Check your system time.If the time is not current time may cause this error.
Upvotes: 1
Reputation: 109
I tried to fix this from android code by adding an "accept all certificate" rule. But all the effort from android side was worthless. Finally making a CNAME in registrar entry that ensured that all requests go to the same IP address fixed the problem
Upvotes: 0
Reputation: 620
I remove all the Scheme Registry staff and the "No peer Certification error" is solved.
ie.
I remove this code from mine
SchemeRegistry schReg = new SchemeRegistry();
schReg.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
schReg.register(new Scheme("https",SSLSocketFactory.getSocketFactory(), 443));
SingleClientConnManager conMgr = new SingleClientConnManager(params,post.getParams());
may be you can try remove those from yours.
Upvotes: 0
Reputation: 10242
Even though this question has an accepted answer I thought it worthwhile to answer since I got the same error on an older Android device running 2.3.3:
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
After reading several different related questions on SO I came to the conclusion that this can happen for two (maybe more?) reasons:
- Improper installation of an intermediate certificate
- Incorrect ordering of the certificate chain
In my case it was an incorrect ordering of certificates. As an example I'm posting the cert order from this question with the insightful answer from user bdc. You can get the certificate ordering by doing the following from a terminal:
openssl s_client -connect eu.battle.net:443
(obviously replacing eu.battle.net with your own server). In the case of eu.battle.net at that time the order was:
Certificate chain
0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
While it should have been:
Certificate chain
0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
The rule is that the issuer of cert "n" in the chain should match the subject of cert "n+1".
Once I found the problem it was trivial to change the cert order on the server and things immediately started working on the Android 2.3.3 device. I guess it's good that older Android versions are a bit pesky about cert order, but it was also a nightmare since newer Android versions reorder the certs automatically. Hell, even an old iPhone 3GS worked with certs out of order.
Upvotes: 24
Reputation: 5975
I'm actually trying to diagnose this myself right now, and it appears one thing that may cause this issue is that the server is down or the connection times out.
Upvotes: 0
Reputation: 5662
Because certificate is valid you should not use custom SchemeRegistry, you should just rely on default android certificate validation mechanism.
Upvotes: 0
Reputation: 18348
If it is not a Server issue, which in most cases that I have seen this issue it is related to either missing intermediate certs or bad a install of the certs.
Try using the Scheme Registry like this:
SchemeRegistry schReg = new SchemeRegistry();
schReg.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
schReg.register(new Scheme("https",SSLSocketFactory.getSocketFactory(), 443));
SingleClientConnManager conMgr = new SingleClientConnManager(params,post.getParams());
Upvotes: 3
Related Questions
- Problems with https (No peer certificate) in android
- How do I avoid getting "No peer certificate" error when connecting to this HTTPS site on Android?
- javax.net.ssl.sslpeerunverifiedexception no peer certificate
- Android ssl: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate (yet again)
- Android SSL No peer certificate
- Error in android application: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
- 'No peer certificate' exception, but only on Mobile Data
- 'No peer certificate' error in Android 2.3 but NOT in 4
- Get "No peer certificate" in Android 4.3
- "No peer certificate" android application