Android: Making Https Request

Question

How do I avoid the "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" exception and the Android Apache lib gap "The constructor SSLSocketFactory(SSLContext) is undefined" in making an Https request?

I have an answer that is working for me. I will post it sometime after my 8 hour time limit has expired. Come on Stack Overflow, just let me answer my own question! — rposky, Oct 01 '11 at 18:15
You need some more points first :) here's a contribution from me. — Peter Lillevold, Oct 01 '11 at 18:32
FYI this bug seems baked into some HTC phone firmwares as of writing this (02/2013) — Richard Le Mesurier, Feb 27 '13 at 13:34

score 46 · Accepted Answer · edited May 23 '17 at 12:09

This method takes an HttpClient instance and returns a ready-for-https HttpClient instance.

 private HttpClient sslClient(HttpClient client) {
    try {
        X509TrustManager tm = new X509TrustManager() { 
            public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
            }

            public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory ssf = new MySSLSocketFactory(ctx);
        ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        ClientConnectionManager ccm = client.getConnectionManager();
        SchemeRegistry sr = ccm.getSchemeRegistry();
        sr.register(new Scheme("https", ssf, 443));
        return new DefaultHttpClient(ccm, client.getParams());
    } catch (Exception ex) {
        return null;
    }
}

Because the Android org.apache.http.conn.ssl.SSLSocketFactory does not have the SSLSocketFactory(SSLContext) constructor, I have extended the class as follows.

 public class MySSLSocketFactory extends SSLSocketFactory {
     SSLContext sslContext = SSLContext.getInstance("TLS");

     public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
         super(truststore);

         TrustManager tm = new X509TrustManager() {
             public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
             }

             public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
             }

             public X509Certificate[] getAcceptedIssuers() {
                 return null;
             }
         };

         sslContext.init(null, new TrustManager[] { tm }, null);
     }

     public MySSLSocketFactory(SSLContext context) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
        super(null);
        sslContext = context;
     }

     @Override
     public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
         return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
     }

     @Override
     public Socket createSocket() throws IOException {
         return sslContext.getSocketFactory().createSocket();
     }
}

Excellent article here: http://javaskeleton.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html

And some help here: Trusting all certificates using HttpClient over HTTPS

Thanks, I would have been really lost without your help! Note to other folks implementing this answer: please be careful that you've included org.apache.http.conn.ssl.SSLSocketFactory, NOT javax.net.ssl.SSLSocketFactory. They're different and not compatible. — Catherine Darrow, Jan 18 '13 at 19:45
Do keep in mind that using a no-op `TrustManager` and the `ALLOW_ALL_HOSTNAME_VERIFIER` is pretty questionable from a security perspective. If the goal is to connect to a test environment, fine, but please don't put this code into production. — Barend, Feb 25 '13 at 09:54
There is an error at the line **super(null);**, says **The constructor SSLSocketFactory(KeyStore) is ambiguous.** — ThinkChris, May 20 '13 at 12:10
@ThinkChris Try casting that null to a SSLContext instance. super((SSLContext) null); — rposky, May 22 '13 at 16:12
Your `getAcceptedIssuers()` method doesn't obey the specification. — user207421, May 02 '14 at 10:25
Any application using this could be listed in the paper mentioned in [this question](http://security.stackexchange.com/q/22965/2435)... This may "work", but this is also insecure. — Bruno, May 22 '14 at 01:45
how to accept only my server certificate instead of trusting all certificates as mentioned in your example ? — cafebabe1991, Jun 09 '14 at 14:22

score 1 · Answer 2 · edited May 23 '17 at 12:14

I had similar problem which is more like this question but the root cause was completely different from those mentioned in both questions.

I was using DefaultHttpClient as httpclient for requesting https://maps.googleapis.com like links. I was trying whole banch of proposed solutions but none worked for me. After some more hours trying to solve it found root cause: My device was connected to a guest WIFI which probably has some specific filtering rules which blocked relevant network parts. Switching to a different network solved my problem.

Android: Making Https Request

2 Answers2

Linked

Related