1

I have created a very simple Netty secure chat server as the tutorial describes and start it with:

SelfSignedCertificate ssc = new SelfSignedCertificate();

SslContext sslCtx = SslContext.newServerContext(ssc.certificate(), ssc.privateKey());`

After that I create a simple SSLSocket to communicate with it from and Android phone. I perform the connection through another thread and configure it as following:

protected SSLSocket getConnection(String ip, int port) throws IOException {
    try {
        KeyStore trustStore = KeyStore.getInstance("BKS");
        InputStream trustStoreStream = context.getResources().openRawResource(R.raw.server);
        trustStore.load(trustStoreStream, "myPassword".toCharArray());

        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustManagerFactory.getTrustManagers(), null);

        SSLSocketFactory factory = sslContext.getSocketFactory();
        SSLSocket socket = (SSLSocket) factory.createSocket(ip, port);
        socket.setEnabledCipherSuites(SSLUtils.getCipherSuitesWhiteList(socket.getEnabledCipherSuites()));
        return socket;
    } catch (GeneralSecurityException e) {
        throw new IOException(e.getMessage());
    }
}

That way, I do a 

sslsocket = getConnection(SERVERIP, SERVERPORT);

out = new PrintWriter(new BufferedWriter(new OutputStreamWriter(sslsocket.getOutputStream())));

and exactly at this "out = ..." line the following exception is thrown:

01-12 14:43:16.002: W/System.err(9979): javax.net.ssl.SSLHandshakeException: ?java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 01-12 14:43:16.002: W/System.err(9979): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.OpenSSLSocketImpl$SSLOutputStream.(OpenSSLSocketImpl.java:706) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:643) 01-12 14:43:16.012: W/System.err(9979): at com.mypath.connector.TCPClient.run(TCPClient.java:106) 01-12 14:43:16.012: W/System.err(9979): at com.mypath.SplashActivity$connectTask.doInBackground(SplashActivity.java:48) 01-12 14:43:16.012: W/System.err(9979): at com.mypath.SplashActivity$connectTask.doInBackground(SplashActivity.java:1) 01-12 14:43:16.012: W/System.err(9979): at android.os.AsyncTask$2.call(AsyncTask.java:288) 01-12 14:43:16.012: W/System.err(9979): at java.util.concurrent.FutureTask.run(FutureTask.java:237) 01-12 14:43:16.012: W/System.err(9979): at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231) 01-12 14:43:16.012: W/System.err(9979): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112) 01-12 14:43:16.012: W/System.err(9979): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587) 01-12 14:43:16.012: W/System.err(9979): at java.lang.Thread.run(Thread.java:841) 01-12 14:43:16.012: W/System.err(9979): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:282) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 01-12 14:43:16.012: W/System.err(9979): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405) 01-12 14:43:16.012: W/System.err(9979): ... 11 more 01-12 14:43:16.012: W/System.err(9979): Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 01-12 14:43:16.012: W/System.err(9979): ... 16 more

Does anyone knows what I am doing wrong?

Alex K
  • 8,269
  • 9
  • 39
  • 57
Vitor Mendes
  • 120
  • 8

2 Answers2

0

For development purposes you can use trust to all TrustManager. This 'solution' is radically insecure.

 TrustManager tm = new X509TrustManager() {
            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }

            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };

The BEST solution is the: Trusting all certificates using HttpClient over HTTPS

Community
  • 1
  • 1
Andrey E
  • 856
  • 8
  • 18
0

You client should trust server certificate, so for testing purposes instead of using JAVA's TrustManagerFactory and configuring it which is tedious sometimes,you can use Netty's InsecureTrustManagerFactory. In this way your client will trust any certificate the server sends. But be sure not to use this in production, this is highly insecure.

vineetgarg
  • 11
  • 2