All geek questions in one place

Invalid certificate and httpclient error on Android

I am using the Apache HttpClient library to establish an https connection. Unfortunately, Android gives me the error "Invalid server certificate". If I go to the site using my phone’s browser, it validates the certificate correctly, which makes me think that I need to make HttpClient β€œaware” of the root certificates on the phone. This is my HttpClient installation code:

HttpParams params = new BasicHttpParams(); HttpConnectionParams.setConnectionTimeout( params, 20000 ); HttpConnectionParams.setSoTimeout( params, 20000 ); HttpProtocolParams.setVersion( params, HttpVersion.HTTP_1_1); HttpProtocolParams.setContentCharset( params, HTTP.DEFAULT_CONTENT_CHARSET); HttpProtocolParams.setUseExpectContinue( params, false); SchemeRegistry schReg = new SchemeRegistry(); schReg.register( new Scheme( "http", PlainSocketFactory.getSocketFactory(), 80 ) ); schReg.register( new Scheme( "https", SSLSocketFactory.getSocketFactory(), 443 ) ); ClientConnectionManager conMgr = new ThreadSafeClientConnManager( params, schReg ); DefaultHttpClient defaultHttpClient = new DefaultHttpClient( conMgr, params ); return ( defaultHttpClient );

As you can see, I am not doing anything with SSLSocketFactory. How can I get the HttpClient library to check my site without adding a special certificate to the keystore ?. Should I create a custom SSLSocketFactory and download cacerts.bks from an Android phone? In this case, I may have problems with different passwords for the keystore on different phones?

Please let me know if you need more information. This SSL stuff is pretty complicated for me.

+4
source share
3 answers

I believe that your certificate does not contain all the intermediate certificates necessary to verify the path to the system trusted root certificate. It can be reported as an incomplete certificate chain using some SSL verification tools.

The certificate may contain a special extension to access to information resources ( RFC-3280 ) with the URL of the issuer certificate. Most browsers can use the AIA extension to download a missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) do not support this extension, so they report such a certificate as untrusted.

You can solve the problem with the incomplete chain of certificates manually by combining all the certificates from the certificate into a trusted root certificate (excluding in this order) to prevent such problems. Note that there should not be a trusted root certificate because it is already included in the root system certificate store.

You should be able to receive intermediate certificates from the issuer and share them together. I wrote a script to automate the procedure, it iterates over the AIA extension to get the output of properly bound certificates. https://github.com/zakjan/cert-chain-resolver

+2
source

I have the same problem before.

you can use this answer, it works great for me.

Trust all certificates using HttpClient via HTTPS

0
source

After zakjan's answer, I had a problem when I tried to use jquery to execute an AJAX request on my newly protected server in an Android web browser. It worked in a browser, but not in my application.

I used this site: https://certificatechain.io/

I pasted the text of my signed .crt file. I returned from Comodo (positiveSSL) and it returned to me everything that I need. I saved it as my domain + "chain.crt" (see below)

Then, in my apache configurations, I entered something like this for this particular virtual host:

 SSLEngine On SSLCertificateFile /etc/ssl/localcerts/example_com.crt SSLCertificateKeyFile /etc/ssl/localcerts/example.com.key SSLCACertificateFile /etc/ssl/localcerts/example.com.chain.crt

After that, my webview Android application did not have a problem using ajax for POST on my server. I tried this on two real devices, one works on 2.3.4, one works 4.something. And the emulator works 2.3. Everything worked.

Hope this helps.

0
source

Source: https://habr.com/ru/post/1341508/

More articles:


All Articles