Accept self signed SSL certificates

Question

I'm using the following method to make HTTP posts in Android:

public static Strign post(String url, List<BasicNameValuePair> postParams,
        HttpClient client) throws ClientProtocolException, IOException {
    if (client == null) {
        client = getClient();
    }
    HttpPost httppost = new HttpPost(url);

    if ((postParams == null)) {
        postParams = new ArrayList<BasicNameValuePair>();
    }
    httppost.setEntity(new UrlEncodedFormEntity(postParams, "UTF-8"));
    // Execute HTTP Post Request
    HttpResponse response = client.execute(httppost);
    return requestToString(response);
}

But when I use it with an SSL connection and a self-signed certificate it throws the following exception:

Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:367)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:748)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:519)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:497)

How can I solve this and accept the self signed certificates?

Thanks

Self-signed certificates defeat the purpose of SSL. Don't do that. If you don't want to use a CA, embed a public key in your app and verify against that (and make sure to allow key rotation and revocation). — SLaks, Oct 06 '13 at 13:10
Thanks but I don't need it to verify the host, just want to encode the data transfered. — Addev, Oct 06 '13 at 13:24
If you don't verify the host, you have no protection against MITM attacks. — SLaks, Oct 06 '13 at 13:29
I know, is for a beta proyect that needs the data encoded in the first version but the host verification can wait :). Thank you for your comments — Addev, Oct 06 '13 at 13:33
May be this can help. http://stackoverflow.com/questions/1828775/how-to-handle-invalid-ssl-certificates-with-apache-httpclient?lq=1 — Anirudh, Oct 06 '13 at 13:47
BTW, you mean _encrypted_. Encoding is a completely different word. — SLaks, Oct 06 '13 at 14:23
Security is **hard**. Read http://blogs.msdn.com/b/ericlippert/archive/2011/09/27/keep-it-secret-keep-it-safe.aspx — SLaks, Oct 06 '13 at 14:23
You don't need to build an insecure version of your system before you build the secure version. Doing so would be a major strategy mistake, a substantial security risk, and a complete waste of time and money. Don't do this. — user207421, Oct 06 '13 at 19:08
possible duplicate of [Error - trustAnchors parameter must be non-empty](http://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty) — user207421, Oct 06 '13 at 19:09

Accept self signed SSL certificates

0 Answers0