Secure HTTP Post in Android with self-signed certificate

Question

I am currently working on my first android app and first api for my organizations website. I am attempting to connect to the api from the android app using a secure connection. Our website has a test port on 8090 that I am attempting to use to test out the api but the problem I am running into is that I have a self-signed certificate on the website which from what I have read online, android apps don't like. To make sure there isn't a problem with the api, I have used it with an http rather than https connection and it works great. I have tried a couple solutions I found online including a couple from this site but none seem to work. Again, I don't have much experience with developing for Android so much of my attempts were just copy and pasting from the solution I found online. Here are some links to what I have tried:

Https Connection Android

http://yekmer.posterous.com/how-to-accept-self-signed-certificates-in-and

there are other pages that I can't find the links to now but below is the code that I am currently using to connect:

        HttpClient httpclient = new DefaultHttpClient();
        HttpPost httppost = new HttpPost("https://website.edu:8090/api.php?");

        try {
            // Add your data
            List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
            nameValuePairs.add(new BasicNameValuePair("method", "login"));
            nameValuePairs.add(new BasicNameValuePair("user", username.getText().toString()));
            nameValuePairs.add(new BasicNameValuePair("pass", md5(password.getText().toString())));
            nameValuePairs.add(new BasicNameValuePair("submitLogin", "1"));
            httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs, HTTP.UTF_8));
            HttpParams params = httppost.getParams();
            HttpConnectionParams.setConnectionTimeout(params, 45000);
            HttpConnectionParams.setSoTimeout(params, 45000);

            // Execute HTTP Post Request
            HttpResponse response = httpclient.execute(httppost);
        } catch (ClientProtocolException e) {
            e.printStackTrace();                
        } catch (IOException e) {               
            e.printStackTrace();
        }

I would also like to add that buying a certificate is not an option since we don't have a budget to work with so anything that would work around the self-signed certificate issue would be great. Thanks in advance!

possible duplicate of [Trusting all certificates using HttpClient over HTTPS](http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https) — Vineet Reynolds, May 30 '11 at 05:47

score 1 · Accepted Answer · answered May 31 '11 at 07:50

Maybe ignore serificates at all for the time, until it is signed?

Try this one:

public static javax.net.ssl.TrustManager getTrustManager()
{
    javax.net.ssl.TrustManager tm = new javax.net.ssl.X509TrustManager() {

        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
        }

        @Override
        public void checkClientTrusted(
                java.security.cert.X509Certificate[] chain, String authType)
                throws java.security.cert.CertificateException {

        }

        @Override
        public void checkServerTrusted(
                java.security.cert.X509Certificate[] chain, String authType)
                throws java.security.cert.CertificateException {        
        }
        };
        return tm;
}



public static DefaultHttpClient getThreadSafeClient() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, UnrecoverableKeyException {
    DefaultHttpClient client = new DefaultHttpClient();
    ClientConnectionManager mgr = client.getConnectionManager();
    HttpParams cleintParams = client.getParams();

    cleintParams.setBooleanParameter("http.protocol.expect-continue", true);
    cleintParams.setBooleanParameter("http.protocol.warn-extra-input", true);
    // params.setIntParameter("http.socket.receivebuffer", 999999);

    //---->> SSL
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
    trustStore.load(null, null);

    SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
    sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

    HttpParams params = new BasicHttpParams();
    HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
   // HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

    SchemeRegistry registry = new SchemeRegistry();
    registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
    registry.register(new Scheme("https", sf, 443));

    //<<------


client = new DefaultHttpClient(new ThreadSafeClientConnManager(params, registry), cleintParams);

    return client;
}

Doesn't work for me, still getting SSLPeerUnverifiedException. On Nexus One 2.3.6. — Mathias Conradt, Nov 01 '11 at 09:29

Secure HTTP Post in Android with self-signed certificate

1 Answers1