4

I have tried so many options, I'm going to go crazy. I continue to get an SSL exception every time I try to post to a URL.

This works like a dream in C# using an HttpWebRequest.

The errors I get are:

Not trusted server certificate
java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.

I am trying the following approach now, but I have tried custom SocketFactories, everything. Please help!

    final String httpsURL = "https://...";
    final DefaultHttpClient client = new DefaultHttpClient();
    final HttpPost httppost = new HttpPost(httpsURL);

    //authentication block:
    final List<BasicNameValuePair> nvps = new ArrayList<BasicNameValuePair>();
    nvps.add(new BasicNameValuePair("mail", username));
    nvps.add(new BasicNameValuePair("password", password));
    UrlEncodedFormEntity p_entity = null;
    try {
        p_entity = new UrlEncodedFormEntity(nvps, HTTP.UTF_8);
    } catch (UnsupportedEncodingException e1) {
        // TODO Auto-generated catch block
        e1.printStackTrace();
    }
    httppost.setEntity(p_entity);

    //sending the request and retrieving the response:
    HttpResponse response = null;
    try {
        response = client.execute(httppost, _context);
    } catch (ClientProtocolException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    HttpEntity responseEntity = response.getEntity();

    //handling the response: responseEntity.getContent() is your InputStream
    try {
        final InputSource inputSource = new InputSource(responseEntity.getContent());
    } catch (IllegalStateException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
Benny
  • 3,899
  • 8
  • 46
  • 81
  • In the past, I had to add the cert to the java key store in order to make requests like this work. – mikey Oct 06 '11 at 04:54
  • @mikey, how do i find the certificate i pass? – Benny Oct 07 '11 at 02:14
  • I don't believe you're passing a cert. You need to ensure that the cert the server gives you is trusted. C# and HttpRequest validate https requests against a different certificate store than java. This appears to be a good resource: http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/ – mikey Oct 07 '11 at 13:53
  • Notice that he mentions creating a cert store file used when building your request, but I don't have the server cert. – Benny Oct 07 '11 at 15:15
  • I've not had to do this myself. It sort of depends on if you can get the CA certs or not as it may be better to add the certs of the CA. But you can use this tool to pull the cert off the site if you need: https://addons.mozilla.org/en-US/firefox/addon/cert-viewer-plus/ – mikey Oct 07 '11 at 15:39
  • Interesting enough, I just got this to work by switching to version 11 of the API (I was using version 8). Any ideas why this might be the case? I would really like this to be available to those still on Froyo – Benny Oct 07 '11 at 16:00
  • Probably the newer version has an updated set of trusted CAs. – mikey Oct 08 '11 at 00:24

1 Answers1

1

You need to consider how Android determines the validity of certificates. When it needs to verify a certificate, it will look at the chain of signatures. If it can find a trusted authority at its top, and the certificate not being on the revocation list, then it will be trusted.

To reduce time-intensive queries, Android comes bundled with a list of common CAs that it trusts. As you noted in the comments, the error disappeared when you upgraded. This is most likely due to the CA you were using being added to the list of shipped trusted CAs.

You can, if you trust the certificate, add it to this list of trusted CAs. The accepted answer to this question has some details on this procedure for older versions! Newer versions are more likely to come shipped with the certificates you will need. With newer versions, you can install certificates directly from your SD card. Go to Settings -> Security. Under Credential storage you will find the option Install from device storage. As long as you are using a standard format, you should be able to install your certificate!

My source: Security with HTTPS and SSL | Android Developers

Community
  • 1
  • 1
Eric Tobias
  • 3,225
  • 4
  • 32
  • 50