I'm developing an Android App which requests a server with https. So the server has a certificate. During development I've managed to trust all certificates to not care about that at this stage of the project.
As I'm preparing the production phase, I would like to know how do I use volley with https, by verifying the authenticity of the server. Should I import something in the App ? May someone explains me how it works ?
Please don't give me just a tutorial to follow, I've found some already but I'm facing difficulties to understand the process, some explanations would be great !
Thanks a lot !
As long as the certificate comes from a valid Certificate Authority (CA) it will work as is.
This is the same with all android https connections.
You do not need to install certificates etc on the android device.
(You should double check the CA you are using is valid on the android as there are some that may not be compatible this easily. Although the majority should be)
Related
I'm working on a native app for iOS and Android using React-Native. I have to hit a third-party REST API that uses https:// protocol. There is a staging server and a production server for the API.
I have success making requests to both servers on iOS. On Android, I can access staging, but not production. Requests to both servers are successful using Postman.
Requests to production on Android give me the infamous [TypeError: Network request failed] message. I looked around on this site and elsewhere, and learned that this is usually the result of a certificate trust issue (which is not something I'm super knowledgeable about). I used openssl to view the certificates and did see three certs when checking staging, and only two for production. I tried following the custom TrustManager example on the Android HTTPS and SSL page: https://developer.android.com/training/articles/security-ssl.html
As well as this tutorial for SSL pinning: https://medium.com/the-many/a-year-of-react-native-ssl-pinning-3801a973cbfe
No luck. I should probably mention that at no point have I seen any logcat messages referring to certificate trust errors, so I'm not even entirely sure this is my issue.. it's just the only thing that makes sense based on what I've been able to find out. I tried going to Android Studio Preferences > Tools > Server Certificates and enabled 'Accept non-trusted certificates automatically' as a sanity check for testing. Still no luck and no change in log messages.
The requests are formatted exactly the same in React-Native, and are successful in three out of four of my scenarios (iOS staging & prod, Android staging). What am I missing?
As HTTPS requires a certificate and a dns name, how are you supposed to work on your dev machine ?
Do you need a specific certificate and a dns name for your machine ?
I generated self signed certs but it causes too many problems with android with sslv3/poodle:
1/ You have to put some code to accept your self signed cert. I followed the recommendation from google, here.
2/ When you apply this and have a server, nginx, not supporting sslv3 which is good as sslv3 has a flaw, you get an exception saying that it tried to negotiate sslv3 but failed.
3/ Then there are some rare advices on how to bypass the sslv3 issue by providing a modified socketFactory. See this post for example. But mixing 1/ with this becomes very difficult for me.
Any advice appreciated. Thanks!
My issue is how to connect between client and worklight server via https.
I've use self-signed ssl (without CA) and i want somehow to trust all certificates by pass the SSLHandshakeError.
Environments:
Worklight 6.2
Android platform
It is possible to use "single-tone" HttpClientManager.getInstance().getHttpClient() like this and some how add some custom sslFactory or something like this...
PS.
I've done everything written in the guide wl 6.2 ssl
I've tried with customCordovaWebViewClient and to override sslErrorHandler but this doesn't work for me
I know that there is a variant to create self-certificates with CA bit and install it manually on devices but that is not possible for me...
That is currently not supported as far as I know. You might need to open a feature request.
I would also suggest considering just using HTTP, as using HTTPS like this is not really safer than regular HTTP. The only benefit is that the traffic gets encrypted, but anyone who wants to spoof the server can easily do so, rendering such encryption useless, and worse because it gives the illusion of security. But I assume you already knew this.
I know that this particular topic was asked many times, but unfortunately in my case none of them are working. For past few days I was trying to get it to functional state, but I failed every time, so I finally come here to ask.
I have a webservice on server with self-signed certificate. I can access wsdl file if I enter address into browser. Browser just remind me, that there is some issues with cert. and if I hit continue, everything works. Sadly I know very little about SSL, because its first time I made an application with SSL communication. In application I'll only get exception "No peer certificate" or "Trust anchor path not found" depends on type of "solution" I used.
I ran test on sslhopper.com and I get a warning that "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate." Is this a serious issue in Android development or it could be resolved by some code?
So my question is actually, how can I do in application make "hit the continue button" or anything to make it actually connected to the server. In this case is it problem with certificate itself or am I doing something wrong on the application itself?
If you are trying to do client authentication, you need two things:
the CA certificate that issued the server certificate
a client certificate for your app.
You have to put 1. in the trust store and 2. in the keystore for your app. The sample code expects a PCKS#12 as the keystore, do you have one? What files have you been given? At this point it might be good to read the JSSE reference so you have an idea how the system works:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
I use ksoap2 to access a webservice. Everything was just fine before to change the test webservice with production one, witch use a https protocol.
I know that this question was asked few more times here, on stackoverflow, but none of the answers work for me. When I use ksoap2 with https I got this error (exception):
Not trusted server certificate
Someone provided and answer (solution) here: Android ksoap2 via https but I don't understand how to implement that solution (or the proposed solution is not working for me)
The certificate used by WS is a self issued ssl certificate - I use the application only inside a small company, but the company system administrator requires encrypted connection.
Can someone provide a better explanation for this issue?
Thank you.
I had a similar problem. Basically, when using Http related classes with the https protocol, Android will check with its installed certificates(which I believe are stored in the os keystore).
Because your certificate is self-signed, the certificate is not trusted.
I added my self-signed certificate to my app for testing purposes(alexander.egger's answer at How to install trusted CA certificate on Android device?). Maybe you can use this approach?
I guess Vedran's approach at Android ksoap2 via https does a similar thing and should work too. What part of that answer is unclear?
However, I dont think these are good solutions.
For my production environment, I ordered a (cheap) ssl certificate from a signing authority trusted by all Android devices and installed it on the server. I am not going to advertise here, but most commercial ssl certificates are trusted by all android devices, and it should be easy to find a cheap one with some research. I think this is the best solution to this problem.
Without a proper ssl certificate, your server would be untrusted to the entire world except your particular app, which is probably not a good solution(what if you extend to an ios device, a third party application calling the webservice,etc..).