My issue is how to connect between client and worklight server via https.
I've use self-signed ssl (without CA) and i want somehow to trust all certificates by pass the SSLHandshakeError.
Environments:
Worklight 6.2
Android platform
It is possible to use "single-tone" HttpClientManager.getInstance().getHttpClient() like this and some how add some custom sslFactory or something like this...
PS.
I've done everything written in the guide wl 6.2 ssl
I've tried with customCordovaWebViewClient and to override sslErrorHandler but this doesn't work for me
I know that there is a variant to create self-certificates with CA bit and install it manually on devices but that is not possible for me...
That is currently not supported as far as I know. You might need to open a feature request.
I would also suggest considering just using HTTP, as using HTTPS like this is not really safer than regular HTTP. The only benefit is that the traffic gets encrypted, but anyone who wants to spoof the server can easily do so, rendering such encryption useless, and worse because it gives the illusion of security. But I assume you already knew this.
Related
I'm developing an Android App which requests a server with https. So the server has a certificate. During development I've managed to trust all certificates to not care about that at this stage of the project.
As I'm preparing the production phase, I would like to know how do I use volley with https, by verifying the authenticity of the server. Should I import something in the App ? May someone explains me how it works ?
Please don't give me just a tutorial to follow, I've found some already but I'm facing difficulties to understand the process, some explanations would be great !
Thanks a lot !
As long as the certificate comes from a valid Certificate Authority (CA) it will work as is.
This is the same with all android https connections.
You do not need to install certificates etc on the android device.
(You should double check the CA you are using is valid on the android as there are some that may not be compatible this easily. Although the majority should be)
I am developing an iOS & Android Application with React Native. I use to access my backend server with "normal" url -> http:// ....
Now since i have changed it and added ssl i need to use my new backend url with ssl which is https://
On iOS everything works like it should. The problems are caused by my android app.
I am not sure how to solve this. Is there anything i have to do to access ssl based urls for android? Maybe in my Manifest or something? Any hints would be great...
Android doesn't want to trust server's certificate.
Which Android version you'd tested?
Older versions like 4.1.x haven't installed 'less known' CA's.
Try it with Marshmallow.
To fix it you can always install a proper certificate on the device by hand (settings->security->load ca from sdcard) or change CA on the server to one which is more 'known' (probably more expensive).
BTW. Check out the logs. It should fail on SSl handshake.
Another test you can do is publishing a simple website by this server and try running this website over https on affected Android device. If the system doesn't trust it browser will alert you about that. For instance:
I have a backend server that is accessible on two ports - one with HTTP and another with HTTPS. It uses a self-signed certificate.
From my ionic/cordova hybrid app when I run using HTTP requests they all succeed. During first request I also include a basic authorization. However, the exact same requests fail when using HTTPS. For example
http://10.1.2.3:8000/hello.js <<< works like a charm
https://10.1.2.3:8100/hello.js <<<< this fails (but works in android browser after a warning page)
I wonder how to proceed. Do I need to register the self-signed certificate somewhere in config, or something else?
Thanks a lot.
I wonder if you have found your answer or not, but still want to post answer for others looking for the solution: Cordova doesn't allow https calls to Servers with untrusted ssl certificate installed on them. You can ignore this error and continue by making a small change in a cordova file.
Open “\cordova\platforms\android\CordovaLib\src\org\apache\cordova\ CordovaWebViewClient.java”. In 'onReceivedSslError' method, comment the else part and add handler.proceed() instead.
The challenge I have is to convert an android app that uses HTTP connection to HTTPS connection without rewriting the code?
What are the options available to achieve the above challenge on a device without a root access?
Any solution that relies on server-side redirections (from HTTP to HTTPS) will be vulnerable to MITM attacks (see this answer).
If the addresses in this app are configurable, just change them to use your HTTPS URLs.
Otherwise, you can of course use a server-side redirection to mitigate the risk slightly, but that won't prevent downgrade MITM attacks (which can happen, perhaps more so when using a mobile device).
If it's always connecting to a known endpoint that's under your control, you could implement something at the target server end of things to redirect, perhaps something like mod_rewrite if it's an Apache server.
There's no much to be rewritten. You basically change your http:// links to https:// and that's shall be it. Some problems may appear when endpoint's certificate is self signed or signed by some less popular CA, but you can easily replace your HttpClient with this one, add issuer's CA to your app and be done with one screen of code basically.
If app is not yours and you got no code, then you could try to tunnel it, by making it accessing the net via your access point which would transparently re-route the packets via ssh tunnel or VPN or whatever else.
If app is not yours but you can have code - that's IMHO best way to go.
I use ksoap2 to access a webservice. Everything was just fine before to change the test webservice with production one, witch use a https protocol.
I know that this question was asked few more times here, on stackoverflow, but none of the answers work for me. When I use ksoap2 with https I got this error (exception):
Not trusted server certificate
Someone provided and answer (solution) here: Android ksoap2 via https but I don't understand how to implement that solution (or the proposed solution is not working for me)
The certificate used by WS is a self issued ssl certificate - I use the application only inside a small company, but the company system administrator requires encrypted connection.
Can someone provide a better explanation for this issue?
Thank you.
I had a similar problem. Basically, when using Http related classes with the https protocol, Android will check with its installed certificates(which I believe are stored in the os keystore).
Because your certificate is self-signed, the certificate is not trusted.
I added my self-signed certificate to my app for testing purposes(alexander.egger's answer at How to install trusted CA certificate on Android device?). Maybe you can use this approach?
I guess Vedran's approach at Android ksoap2 via https does a similar thing and should work too. What part of that answer is unclear?
However, I dont think these are good solutions.
For my production environment, I ordered a (cheap) ssl certificate from a signing authority trusted by all Android devices and installed it on the server. I am not going to advertise here, but most commercial ssl certificates are trusted by all android devices, and it should be easy to find a cheap one with some research. I think this is the best solution to this problem.
Without a proper ssl certificate, your server would be untrusted to the entire world except your particular app, which is probably not a good solution(what if you extend to an ios device, a third party application calling the webservice,etc..).