SSL connection in android

Question

I am in middle of developing an app in android, which requires me sslhandshake with server, using KSOAP2 libraries.

I am able to achieve the same on http sites, but fails on HTTPS sites,saying "could not validate certificate".

Can anybody help out

Answer 1

You can Use SelfSignedCertificate. Just use this method as your HTTPClient:

public static  HttpClient getNewHttpClient() {
    try {
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, null);

        SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
        sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

        HttpParams params = new BasicHttpParams();
        HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
        HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        registry.register(new Scheme("https", sf, 443));

        ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);

        return new DefaultHttpClient(ccm, params);
    } catch (Exception e) {
        return new DefaultHttpClient();
    }
}

Answer 2

Please note that at least prior to 2.3 Android versions don't have the root CA for the RapidSSL CA among others.

You can check the issuer of a problematic certificate with sites such as http://www.digicert.com/help/

Another quick check is to try to load a HTTPs page in the stock browser and see if it complains about the certificate.

If this does not match your situation then ignore this answer.

If you have a certificate signed by this CA you must either

1. Handle it explicitly in your app by doing something like Danieles answer, but actually also comparing the certificate to a stored one for RapidSSL (or whichever you use).
2. Add an intermediate certificate to the chain at the web server in question to make the RapidSSL certificate certified by GeoTrust.

Check out

http://code.google.com/p/android/issues/detail?id=10807 https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549

Answer 3

Can this code be of help? https://github.com/mixare/mixare/blob/master/src/org/mixare/MixContext.java

        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }});
    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, new X509TrustManager[]{new X509TrustManager(){
        public void checkClientTrusted(X509Certificate[] chain,
                String authType) throws CertificateException {}
        public void checkServerTrusted(X509Certificate[] chain,
                String authType) throws CertificateException {}
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }}}, new SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(
            context.getSocketFactory());

This code is used in mixare.org to accept self-signed certificates.

Please be aware that you are not safe from MITM attacks when using this approach.

HTH, Daniele

Answer 4

It may be because the site you are trying to access may not have CA. It only may only have self-signed certificate. That is a issue you will get when you dealing with self-signed certificate.

Try these links and show us what you have implemented already

http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html

http://developer.android.com/reference/org/apache/http/conn/ssl/SSLSocketFactory.html