0

So here's a weird situation. I have a website running on https. I also have an app on android which leverages this website to make rest API calls. Everything was working fine until now. Recently my hoster changed something and everything is falling apart. When I fire rest request from browser it works fine. But when I do it using the app it doesn't work and I get this exception:

javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Thu Aug 21 06:03:34 EDT 2014 (compared to Sat Aug 22 17:41:59 EDT 2015) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java

But everything working fine on pc and I double checked the certificates are expiring on 2016.

So I went a step further and tried to browsershot my website and I got some funny results. Out of 300 browsers I got the same issue in a couple of them.

https://i.stack.imgur.com/d86tE.png
http://oi60.tinypic.com/30ml1n4.jpg

Also I'm now getting this warning in my host while installing SSL.

"Note: You do not have a dedicated IP address. As a result, web browsers that do not support SNI will probably give false security warnings to your users when they access any of your SSL websites. Microsoft® Internet Explorer™ on Windows XP™ is the most widely used web browser that does not support SNI."

I'm not 100% sure whether this warning was there earlier or not but I'm just trying to put the pieces together.

There is nothing wrong with the code as my apps on the phone have stopped working which was working earlier.

hellrokr
  • 25
  • 1
  • 4

2 Answers2

2

Server Name Indication (SNI) means that the client (browser, app) sends the expected host name inside the SSL/TLS handshake. This is similar to the Host HTTP header and makes it possible to have multiple virtual servers with different hostnames share the same IP address. If your client does not support SNI the server will either send some default certificate back or will trigger an error in the SSL/TLS handshake.

SNI is supported by all modern browsers, but older browsers or platforms like IE8 on XP do not support SNI. Also the Apache HTTP Request Library as shipped with the Android SDK does not support SNI which might be the issue in your case.

Everything was working fine until now. Recently my hoster changed something and everything is falling apart.

I guess this is the result of an incomplete change. It looks like the certificate for clients using SNI was replaced with a newer version because the previous one expired. But the default certificate of the site, i.e. the one used for non-SNI clients, is still the old expired certificate. Thus you get a valid certificate with all clients using SNI but an expired error with all clients not capable of doing SNI.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • thanks! didn't know that android does not support SNI. I'm now 100% sure that this is the issue. So I got the ip address of my host and checked its certificate. Turns out its expired. Its the same expired certificate that I'm getting in my android app. – hellrokr Aug 24 '15 at 07:11
-1

I ran into the same problem while calling a third party API from my android app. To solve the problem I used HttpsURLConnection class from javax.net.ssl package which has SNI support.

A example to perform an API call.

import javax.net.ssl.HttpsURLConnection;
import java.net.URL;

public void performApiCall() {
    try {
            URL url = new URL("https://yourdestination.com");
            HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
            connection.setRequestProperty("content-type", "application/x-www-form-urlencoded");
            connection.setRequestMethod("POST");

            // other stuffs like adding parameters etc. Used android.util.Pair.

            connection.connect();

            // you can read response based on connection.getResponseCode()
    }catch(Exception e){
        e.printStackTrace();
    }
}
Ajesh M
  • 1
  • 2