I am developing an iOS & Android Application with React Native. I use to access my backend server with "normal" url -> http:// ....
Now since i have changed it and added ssl i need to use my new backend url with ssl which is https://
On iOS everything works like it should. The problems are caused by my android app.
I am not sure how to solve this. Is there anything i have to do to access ssl based urls for android? Maybe in my Manifest or something? Any hints would be great...
Android doesn't want to trust server's certificate.
Which Android version you'd tested?
Older versions like 4.1.x haven't installed 'less known' CA's.
Try it with Marshmallow.
To fix it you can always install a proper certificate on the device by hand (settings->security->load ca from sdcard) or change CA on the server to one which is more 'known' (probably more expensive).
BTW. Check out the logs. It should fail on SSl handshake.
Another test you can do is publishing a simple website by this server and try running this website over https on affected Android device. If the system doesn't trust it browser will alert you about that. For instance:
Related
I have an Android app which communicates to a backend server via HTTP POST requests. I would like to upgrade it to HTTPS. The API I'm using is HttpLib.postRequest.
I'm finding that a direct connection to my Apache server works fine. But a connection via a load balancer doesn't work. My load balancer is from Aliyun. I've tried two different load balancers, both fail the same way. The direct symptom is that I get an "unknown_err" on the phone.
I can capture traffic with tcpdump, which proves that it's connecting to the correct place and attempting to negotiate. The session ends with the client sending an HTTPS error "Certificate Unknown (46)".
Normally this is caused by bad certificates or configuration. But I know that my certificates are all valid. Other browsers work fine connecting to the same server to load normal web pages. And the iOS version of the same app also works fine. Browsing to the web site on an Android phone works fine even when the app is failing to connect. The website is https://zaomengshe.com so you can check the certificate there. I also have a different setup with a load balancer and a certificate from Let's Encrypt.
I guess there is some peculiarity of Aliyun's load balancers and Android that's preventing a successful negotiation. Perhaps I need to enable support for some algorithm or key size or something. I did read that TLS 1.2 wasn't supported until API version 20, so I updated the minimum supported version to 20. That didn't help.
The report by SSLLabs for this domain clearly says:
This server's certificate chain is incomplete. Grade capped to B.
The reason for this problem is probably a messed up configuration at the load balancer: only the leaf certificate is served inside the TLS handshake but not the intermediate certificates needed to build the trust chain. Desktop browser usually try to work around such broken configurations but other applications usually don't.
This means that this is very likely the reason your application fails. And the issue need to be fixed at the load balancer by also configuring the intermediate certificates.
I am building an Android Application which consumes a REST Api through an HTTPS connection. Right now to ensure the connection to this api I am using a file cert embedded in the app as explained in this example, at Android Documentation.
It is working well, but recently the certificate has changed and I had to publish the Application again with the new cert file.
My question is: What is the best way to avoid this everytime the certificate changes? How to do it without using a cert file embedded directly in the app?
Thanks!
the older pre-3.10 versions of Charles allow users to install a root certificate on their phones to help apps to allow SSL connections but the newer version has removed this feature. I am not sure if this is the reason why I wasn't able to POST successfully to the native app server.
For example I will get messages like SSLHandshake: Remote host closed connection during handshake
I suspect the root certificate is for the app on my phone to accept SSL connections from the server, but not for me to POST messages to the server.
Anyways, is there a method for me to set up SSL connections to POST?
P.S. I have added the server's url in my SSL list, and also enabled "transparent HTTP proxy." (I noticed that is not HTTPS, so perhaps Charles doesn't have transparent HTTPS feature?)
Update: I tried using mitmproxy and it worked. It looks like installing cer file to the phone is the right way to go but I am wondering why Charles removed this feature. I also think I might have missed something in the documentation. Perhaps Charles did generate a cer file in my system for me to download to the phone. If so, where can I find this file?
Yeah, all you need to do is to click help on the menu bar and then select save SSL or install SSL on mobile device and then browse to the url it gives you on your mobile browser to download the certificate.
My issue is how to connect between client and worklight server via https.
I've use self-signed ssl (without CA) and i want somehow to trust all certificates by pass the SSLHandshakeError.
Environments:
Worklight 6.2
Android platform
It is possible to use "single-tone" HttpClientManager.getInstance().getHttpClient() like this and some how add some custom sslFactory or something like this...
PS.
I've done everything written in the guide wl 6.2 ssl
I've tried with customCordovaWebViewClient and to override sslErrorHandler but this doesn't work for me
I know that there is a variant to create self-certificates with CA bit and install it manually on devices but that is not possible for me...
That is currently not supported as far as I know. You might need to open a feature request.
I would also suggest considering just using HTTP, as using HTTPS like this is not really safer than regular HTTP. The only benefit is that the traffic gets encrypted, but anyone who wants to spoof the server can easily do so, rendering such encryption useless, and worse because it gives the illusion of security. But I assume you already knew this.
I'm creating a facebook app in the developers side of facebook.
Everything is working when I start browsing the app via browser, but when I try to access the app via a mobile device I get a message like this:
"Secure connection not found"
It is strange because my app URL is a SSL page, we have created our certificate and it expire in 10 years..
Someone have got the same problem in the past?
Thanks!
Have you added a HTTPS enabled mobile site URL under your App's settings? I guess this could be the reason...
The problem was the self-signed certificate, with a new and not self-signed certificate everything works!