I used to have a working SSL for all web and mobile browsers. After setting up Cloudflare, Android devices are unable to securely visit my site.
The error I'm receiving is:
The identity of this website has not been verified.
Server's certificate does not match the URL.
After checking the certificate through the viewer, I noticed it is issued to (an ssl subdomain).cloudflare.com. Obviously, this does not match my site's URL. I cannot find solutions for this. Any fixes?
This is typically a problem with Server Name Indication (SNI), which is used to have multiple certificates behind the same IP address. As far as I know Cloudflare uses SNI and if your application does not support it and does not send the expected server name inside the SSL ClientHello dialog it will get the wrong certificate back.
The apache HTTP library as used by android did not support SNI for a long time, which might trigger your problem. There are various posts on stackoverflow about this topic and you also find enough information online, if you search for "SNI android".
Related
I have an Android app which communicates to a backend server via HTTP POST requests. I would like to upgrade it to HTTPS. The API I'm using is HttpLib.postRequest.
I'm finding that a direct connection to my Apache server works fine. But a connection via a load balancer doesn't work. My load balancer is from Aliyun. I've tried two different load balancers, both fail the same way. The direct symptom is that I get an "unknown_err" on the phone.
I can capture traffic with tcpdump, which proves that it's connecting to the correct place and attempting to negotiate. The session ends with the client sending an HTTPS error "Certificate Unknown (46)".
Normally this is caused by bad certificates or configuration. But I know that my certificates are all valid. Other browsers work fine connecting to the same server to load normal web pages. And the iOS version of the same app also works fine. Browsing to the web site on an Android phone works fine even when the app is failing to connect. The website is https://zaomengshe.com so you can check the certificate there. I also have a different setup with a load balancer and a certificate from Let's Encrypt.
I guess there is some peculiarity of Aliyun's load balancers and Android that's preventing a successful negotiation. Perhaps I need to enable support for some algorithm or key size or something. I did read that TLS 1.2 wasn't supported until API version 20, so I updated the minimum supported version to 20. That didn't help.
The report by SSLLabs for this domain clearly says:
This server's certificate chain is incomplete. Grade capped to B.
The reason for this problem is probably a messed up configuration at the load balancer: only the leaf certificate is served inside the TLS handshake but not the intermediate certificates needed to build the trust chain. Desktop browser usually try to work around such broken configurations but other applications usually don't.
This means that this is very likely the reason your application fails. And the issue need to be fixed at the load balancer by also configuring the intermediate certificates.
the older pre-3.10 versions of Charles allow users to install a root certificate on their phones to help apps to allow SSL connections but the newer version has removed this feature. I am not sure if this is the reason why I wasn't able to POST successfully to the native app server.
For example I will get messages like SSLHandshake: Remote host closed connection during handshake
I suspect the root certificate is for the app on my phone to accept SSL connections from the server, but not for me to POST messages to the server.
Anyways, is there a method for me to set up SSL connections to POST?
P.S. I have added the server's url in my SSL list, and also enabled "transparent HTTP proxy." (I noticed that is not HTTPS, so perhaps Charles doesn't have transparent HTTPS feature?)
Update: I tried using mitmproxy and it worked. It looks like installing cer file to the phone is the right way to go but I am wondering why Charles removed this feature. I also think I might have missed something in the documentation. Perhaps Charles did generate a cer file in my system for me to download to the phone. If so, where can I find this file?
Yeah, all you need to do is to click help on the menu bar and then select save SSL or install SSL on mobile device and then browse to the url it gives you on your mobile browser to download the certificate.
I'm developing an Android App which requests a server with https. So the server has a certificate. During development I've managed to trust all certificates to not care about that at this stage of the project.
As I'm preparing the production phase, I would like to know how do I use volley with https, by verifying the authenticity of the server. Should I import something in the App ? May someone explains me how it works ?
Please don't give me just a tutorial to follow, I've found some already but I'm facing difficulties to understand the process, some explanations would be great !
Thanks a lot !
As long as the certificate comes from a valid Certificate Authority (CA) it will work as is.
This is the same with all android https connections.
You do not need to install certificates etc on the android device.
(You should double check the CA you are using is valid on the android as there are some that may not be compatible this easily. Although the majority should be)
I use ksoap2 to access a webservice. Everything was just fine before to change the test webservice with production one, witch use a https protocol.
I know that this question was asked few more times here, on stackoverflow, but none of the answers work for me. When I use ksoap2 with https I got this error (exception):
Not trusted server certificate
Someone provided and answer (solution) here: Android ksoap2 via https but I don't understand how to implement that solution (or the proposed solution is not working for me)
The certificate used by WS is a self issued ssl certificate - I use the application only inside a small company, but the company system administrator requires encrypted connection.
Can someone provide a better explanation for this issue?
Thank you.
I had a similar problem. Basically, when using Http related classes with the https protocol, Android will check with its installed certificates(which I believe are stored in the os keystore).
Because your certificate is self-signed, the certificate is not trusted.
I added my self-signed certificate to my app for testing purposes(alexander.egger's answer at How to install trusted CA certificate on Android device?). Maybe you can use this approach?
I guess Vedran's approach at Android ksoap2 via https does a similar thing and should work too. What part of that answer is unclear?
However, I dont think these are good solutions.
For my production environment, I ordered a (cheap) ssl certificate from a signing authority trusted by all Android devices and installed it on the server. I am not going to advertise here, but most commercial ssl certificates are trusted by all android devices, and it should be easy to find a cheap one with some research. I think this is the best solution to this problem.
Without a proper ssl certificate, your server would be untrusted to the entire world except your particular app, which is probably not a good solution(what if you extend to an ios device, a third party application calling the webservice,etc..).
Would anyone know how to configure the emulator to make ssl connections via a proxy ?
I use the -http-proxy option when starting the emulator. I can access any website except those with https protocol.
Any idea ?
I've experienced similar problems with Android during a web project lately. The site works fine using ordinary HTTP from Android but when using HTTPS it works now and then. Some requests just fail and we get "Web page not found"-errors. The connections are sometimes very slow. After some further tests and investigation I found out that the problem was general for all HTTPS sites, not only for our site.
According to a bug report for Android others are reporting the same problem and Android has been hit by it since version 1.5:
http://code.google.com/p/android/issues/detail?id=3334
I removed the APN proxy in my HTC Desire, as stated in the bug report above, and then Android performed as expected on HTTPS sites. For our purpose we have made an exception for Android telephone so they are routed to the ordinary HTTP site instead.
In other words, it seems like Android has a general problem with proxies and that may be the cause of problem with the emulator. Vote on the bug, just follow the link above.
There are several possible reasons for that:
Can you access the HTTPS site with your real phone? If not, then probably the involved certificate is not considered as trusted from the app/webview. If you need to consider a certificate as trusted within your app, look at the following tutorial
Can you access HTTPS sites at all via your proxy from a webbrowser? Our enterprise proxy server does not allow HTTPS traffic (for whatever reason) at all. You could also sniff the traffic with Wireshark etc. to see if anything is sent back from the proxy or an error occurred.
What type of problem did you get when you try to connect to the website? Can you provide a stacktrace or LogCat output?