I have Android 4.1.2 device.
I'm trying to download file from HTTPS and get error about not valid certificate.
Ok, I created custom TrustManager, which skips this error.
How to specify, that DownloadManager used my HttpClient whith custom TrustManager?
Implementing a custom "Dummy-TrustManager" is a simple but dumb idea as it destroys the security of SSL/TLS.
What you need instead is to trust that specific certificate of the server, not every (self-signed) certificate in the world!
There is a complete blog topic by Nikolay Elenkov which explains everything you need, including code samples: Using a Custom Certificate Trust Store on Android
Related
I am trying to connect via SSL and certificate to have a solid and secure connection but apparently it is not as simple as it looks like.
Using python is 100% working and can test the connecton by using these paramters
client.tls_set(ca_certs="x.pem", certfile="/y.pem.crt", keyfile="z.pem.key", cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2,ciphers=None)
client.tls_insecure_set(True)
I was applying different varian of code found on the internet and even on here and applying the SSLSocketFactory on my MqttConnectOptions.
Common errors were like "SSL path not found" ( yes I did check if the code was reading the file and it worked ), "Trust anchor for certification path not found." and so on....
I also had issue to parse the key file to PemParse due to be in the resources but with not much luck.
This one of the link I was following as well https://gist.github.com/sharonbn/4104301 but with no much success.
Just to "complicate things", my certificate are without password and most of the examples on the web are with.
To recap:
I have x.pem, y-private.pem.key, z-certificate.pem.crt, u-public.pem.key
With python works fine
Android is not working or at least I am not able to.
In case it wasnt clean, I am after a piece of code that allows me to use the certificates above to add to my MqttConnectOptions and make a successfully connection to the server.
When I'm using the fetch function in my react native apps, things work as expected on iOS, but gives an error in android. The error is 'TypeError: Network request failed'. Doing a bit of debugging, I found that the cause of the error seems to be the following: 'java.security.cert.CertPathValidatorException: Trust anchor for certification path not found'.
How come this works in iOS and not on android, and how do I best fix it? Is the fault in react-native, or somewhere deeper?
There is a few workarounds for this issue mentioned here: Trust Anchor not found for Android SSL Connection
However, if you are the server owner. I would suggest to review your server ssl certificate. I think that was because of missing CA certificate in your pem file.
What I have done for my site is I created fullchain.pem by concating content of file.crt and file.ca-bundle as that order.
Then I configure nginx (my server behind nginx) with:
ssl_certificate /etc/nginx/ssl/fullchain.pem;
The original document: https://www.digicert.com/ssl-certificate-installation-nginx.htm
Hope that helps
The download over https on a Galaxy S3/4 just shows "in progress" for a while and then eventually fails.
I created a new site in IIS7 with 2 files: "pdf.pdf" and "index.html". I've set the bindings of the site to static.local.com for http and https(self signed cert) and my host file points static.local.com to 127.0.0.1.
Contents of index.html
<html>
<head></head>
<body>
link
link
</body>
</html>
Only the http link works on the Galaxy S3/4. Also this scenario has been tested with a valid SSL cert. I see this issue posted all over the internet of people having issues downloading pdfs over https, but was hoping someone had a workaround that doesn't involve using another browser, download works with Opera-mini.
I've not heard of this problem, if lots of people are having it, then it sounds like a nuance of android. One thing I would try in the meantime if you need a quick workaround is perhaps try setting different headers in the response for the pdf such as the content-disposition to inline, or content-type etc. List of HTTP header fields
Perhaps Android OS is trying to be "helpful" with pdf files.
Checking your SSL setup would be the primary thing here. Self signed may not even stand a chance but for a CA signed certificate you need to make sure everything is proper.
Ideally, you would only need the certificate and the private key to include in your web server configuration. But, most of the commonly available SSL certificates are issued by an Intermediate CA and not the root CA. Hence, you are also suppose to include intermediate certificate chain on your web server to complete the setup.
However, things become complicated because most of the browsers try to forgive omission of intermediate certificate chains by downloading the intermediate cert chain themselves (based on information contained in your SSL certificate). Hence everything seems to work fine until you use a browser or HTTP client library which doesn't do that automatically.
Check your SSL setup here:
https://www.ssllabs.com/ssltest/
There was recently certificate change on staging servers of my app. The server passes Qualys SSL test with grade A- ("The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-") so I should be able to connect via https without adding any certs to my app, keystore or whatever. Indeed, the standard Android connection method works well (http://developer.android.com/training/basics/network-ops/connecting.html).
The problem is, I am using android-async-http all over the code, which uses org.apache.http.client. And that returns javax.net.ssl.SSLPeerUnverifiedException: No peer certificate when I connect to the site!
I can't really change the connection method in current circumstances. I'd like to stay with android-async-http and connect to my site without bypassing the SSL security.
Any tips? Some additional settings to android-async-http? Or maybe altering android-async-http source code would help?
I encountered a same problem 6 months back.
I think you will be able to solve it by :
MySSLSocketFactory extends SSLSocketFactory
Then u need to use this Class where you are creating an instace of HTTPClient and pass some parameters...
I think the link below would be helpful. If it doesn't help then i can share concrete code later...
https://stackoverflow.com/a/13812958/1386533
I am after a solution which would enable me to use the in-build keystore and StrictHostnameVerifier but would allow me to obtain the X590CertificateChain (either once connected or post handshake) so I can perform some additional checks (specifically I want to verify the root public key is the one I expected).
The examples I have investigated are mainly around overriding the behaviour (i.e. by replacing the socket factory or hostname checker with ones which don't do anything) and I am struggling with the differences between the android and other java implementations.
The reason I don't want to bundle a keystore (aside from having to use bouncycastle instead of jks) is that I don't want to package the intermediate CA cert with the app as this will create a certificate management problem sooner.
Many thanks in advance for any comments.
Ideally, this should be done at runtime. Bundling the certificate might be redundant as well, when some devices might already have that certificate installed.
Normally, your approach should be this.
Try connecting to the server.
If certificate is not installed, you will get a certificate exception. Catch it, extract the public certificate, save it, by creating a keystore on the fly.
While making new connections, use this keystore to initialize your SSL context.