I know this question was asked several times but I didn't find any complete solution... Here is the context : I'm developping an Android application which allow the user to connect to his self-hosted instance of a web application. Some users contacted me to ask if I could add the support of HTTPS and of course, the support of home-made certificates. So I read a lot of stuff and this is what I understood :
- The easy but unsecure solution is to allow all certificates, without checking anything. I implemented that and it works but it's clearly not a good solution!
- Another solution is to create a keystore with the needed certificates. But on the one hand I don't know in advance the certificates of the users, and on the other hand, it's difficult to ask the user who want to use this application with HTTPS to play with keytool or something else...
So I would like to implement the same solution as a web browser for example. So, when a user try to connect to his self-hosted server with HTTPS for the first time, the application show him the details of the untrusted certificate and ask him if he is sure to want to connect. By selecting "Yes I'm sure", this certificate will be stored and the application will never ask him anything about that.
For now, I'm using a solution with HTTPClient and a custom SSLSocketFactory which allow all certificates... I also saw something like SLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER but I don't really understand if it could help me.
Do you have any idea about how I could offer a user-friendly and secure solution to use HTTPS with home-made certificates?
