8

I have an app which makes calls to a web service over https. When I run the apk on my phone, it works great. However, in the emulator, all of the POST requests over SSL fail with:

Read error: ssl=0xb402be00: Failure in SSL library, usually a protocol error error:100c50bf:SSL routines:ssl3_read_bytes:NO_RENEGOTIATION (external/boringssl/src/ssl/s3_pkt.c:852 0xabf7fcd7:0x00000000)

In the access logs on our server, it reports a 403 (Forbidden) whenever the emulator tries to hit the webservice, apparantly because the emulator is not hand-shaking properly with our server. There a bunch of lines like this in apache's error log

[Thu Aug 20 12:21:21 2015] [error] [client xxx.xxx.xxx.xxx] Re-negotiation handshake failed: Not accepted by client!?

Apache actually added the "!?" so it looks like a seriously unexpected error.

In my IDE, I have ticked the option for "Accept non-trusted certificates automatically" but that doesn't make a difference.

I have seen solutions on the web for fixing various SSL issues in android, however, they all seem to be the phone itself having an issue, and require code modification. Since it works fine on the phone, it seems like this is an Android Studio problem, and I should be able to correct this with a configuration setting. Or maybe I have to do something in a apache?

Bottom line: How can I get my app to talk to an SSL webservice in the emulator in Android Studio?

Using Studio 1.3.1, Java 1.7.0_65, 

compileSdkVersion 21
buildToolsVersion "22.0.1"
defaultConfig {
    applicationId "com.bla.bla"
    minSdkVersion 14
    targetSdkVersion 19
    multiDexEnabled true
    versionCode 12
    versionName '1.2.0.8'
chiliNUT
  • 18,989
  • 14
  • 66
  • 106
  • 1
    You should configure emulator itself, IDE configuration has nothing to do with the problem. Can you access other https websites? Do you have date and time set correctly on emulator? Have you tried Genymotion? – Dmide Aug 24 '15 at 18:03
  • 1
    it won't launch in Genymotion at all, I get `"Failure [INSTALL_FAILED_MISSING_SHARED_LIBRARY]"` the date and time are correct. I don't know if it can access other sites because it doesn't have any reason to, I'm not sure how I would work that into the existing code. – chiliNUT Aug 24 '15 at 22:37
  • If your goal is to get it work on any emulator, not exactly on default by google, follow this thread http://stackoverflow.com/questions/20121883/how-to-install-google-play-services-in-a-genymotion-vm-with-no-drag-and-drop-su and try again. This should fix FAILED_MISSING_SHARED_LIBRARY error. – Dmide Aug 25 '15 at 08:04
  • @Dmide I don't see any reference to that error on that thread. Also I am not using Google Play Services. Also I would like to use the built in emulator – chiliNUT Aug 25 '15 at 14:51
  • Can you reach the service on a browser in the emulator? – C.d. Aug 27 '15 at 11:48
  • What version of Android do you run on the phone and the emulator? And does your server support SSLv3? – Qw4z1 Aug 28 '15 at 11:10
  • @C.d. good point, I can't. Ive never used the native browser, but thats the only option in the emulator, and it yells at me when I try to view any https site – chiliNUT Aug 28 '15 at 14:46

2 Answers2

2

I believe this is because the emulator will reset your CA Certificates each time it runs.

Checkout out this post on Setting up a persistent trusted CA in an Android emulator

Please be aware that the location of the CA Certs have changed in Marshmallow, I'll update with some additional information ASAP

GMLewisII
  • 366
  • 1
  • 7
  • 1
    I found like pretty much nothing about this topic on google, and I think it is because the general practice is to have your dev API not under SSL, and only have production API under SSL, which would avoid this problem. I came across that article doing my own googling. I haven't tried it yet but it looks very promising. – chiliNUT Aug 31 '15 at 21:40
  • 1
    I looked at the referenced article. It was posted in 2011 when the cacert.bk was still in /system/etc/security. Marshmallow now has a cacert directory in its place, filled with many files with cryptic names. Still googling for an updated method for setting up persistent certs in Marshmallow and later. – Les Mar 17 '17 at 16:18
1

I suggest you to trust the certificate from SSL protected server in runtime.

This approach is independent of the device configuration and works fine for phone and emulator as well.

I wrote small library to do so.

Read more about this topic on my blog post:

https://mklimek.github.io/trust-specific-certificate-on-jvm/

klimat
  • 24,711
  • 7
  • 63
  • 70
  • In general, this might be useful for coding future projects in such a way that they play nicer with the emulator. For this project, I have no desire to modify any of the existing code just so it will work in an emulator. – chiliNUT Aug 31 '15 at 21:39