4

Since I update my WebView-based app to comply with Google's requirement to remove the catchall SslErrorHandler.proceed():

Please address this vulnerability as soon as possible and increment the version number of the upgraded APK. To properly handle SSL certificate validation, change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

Using this solution:

 @Override
    public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    String message = "SSL Certificate error.";
        switch (error.getPrimaryError()) {
            case SslError.SSL_UNTRUSTED:
                message = "The certificate authority is not trusted.";
                break;
            case SslError.SSL_EXPIRED:
                message = "The certificate has expired.";
                break;
            case SslError.SSL_IDMISMATCH:
                message = "The certificate Hostname mismatch.";
                break;
            case SslError.SSL_NOTYETVALID:
                message = "The certificate is not yet valid.";
                break;
        }
        message += " Do you want to continue anyway?";

        builder.setTitle("SSL Certificate Error");
        builder.setMessage(message);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

My app keeps encountering SslError.SSL_INVALID ("A generic error occurred.") when accessing nytimes.com.

This doesn't happen with other sites, like wikipedia.org for example.

Clearly, there is something different about nytimes that triggers an SslError. But it's not an invalid or expired cert, so I can't fix this.

What can I possibly do to troubleshoot and fix this problem?

BTW, I have tried tips 1-4 in this article (resetting my smartphone to factory settings, is just too much and unacceptable for me). To no avail.

Any ideas?

Vsevolod Krasnov
  • 1,482
  • 2
  • 13
  • 20
WebViewer
  • 761
  • 7
  • 21
  • 1
    "My app keeps encountering SslError.SSL_INVALID" -- when? When you first request their page, or after displaying this dialog and proceeding? – CommonsWare Feb 13 '17 at 17:41
  • @CommonsWare Both: When I first request their page **and** countless times after displaying this dialog and proceeding. – WebViewer Feb 13 '17 at 19:30

0 Answers0