3

I am attempting to connect to a local HTTPS server using the apache DefaultHttpClient on a Android device.

 DefaultHttpClient httpclient = new DefaultHttpClient();
 HttpPost httppost = new HttpPost("http://192.168.1.121:4113/services");
 ... header and content filling in ...
 HttpResponse response = httpclient.execute(httppost);

I am getting an error of "javax.net.ssl SSLException: Not trusted server certificate" when the .execute runs. I want to simply allow any certificate to work, regardless of if it is or is not in the android key chain.

I have spent about 40 hours researching and trying to figure out a workaround for this issue. I have seen many examples of how to do this but none so far have worked in Android; they seem to only work for JAVA. Does anyone know how to configure, or override the certificate validation used by the Apache HttpClient in Android so that it will just approve all certificates for a DefaultHttpClient connection?

I thank you for your kind response

w.donahue
  • 10,790
  • 13
  • 56
  • 78
  • 1
    possible duplicate of [HTTPS GET (SSL) with Android and self-signed server certificate](http://stackoverflow.com/questions/3761737/https-get-ssl-with-android-and-self-signed-server-certificate) – C. Ross Nov 19 '13 at 21:31

2 Answers2

2

If anyone is still trying to figure this out I ended up going with the solution here:

HTTPS GET (SSL) with Android and self-signed server certificate

Scroll down to the solution by SimonJ. It is a simple straight forward solution to this problem.

Community
  • 1
  • 1
w.donahue
  • 10,790
  • 13
  • 56
  • 78
1

Look at this tutorial http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/

The tutorial is based on Apache's HttpClient and explains how to use the SSLSocketFactory to trust the defined certificates in your own keystore (also explained how you can create it with the BouncyCastle provider).

I've tested it and it works great. In my opinion this is the secure way.

saxos
  • 2,467
  • 1
  • 20
  • 21
  • Thank you for trying but that is not what I want to do. I do not want to add the certificate into my keystore. I fully realize the security implications of what I am doing. This is for a commercial product and I can't expect the customers to know how to perform those actions. I have found several examples of solving this by adding the cert to the key store but noone has been able to just bypass it entirely. – w.donahue Oct 24 '10 at 16:43
  • I see. And switching to the plain old java.net libraries is not an option for you? With those you can easily accept all certs. Maybe this helps: http://stackoverflow.com/questions/2703161/apache-httpclient-4-0-ignore-ssl-certificate-errors Didn't try it. – saxos Oct 24 '10 at 21:42
  • Just forgot to mention: http://mobile.synyx.de/2010/06/android-and-self-signed-ssl-certificates/ This guy here is implementing an own SSLSocketFactory, which should accept all self-signed certs. – saxos Oct 24 '10 at 21:54