2

I'm getting an SSLPeerUnverifiedException: "No Peer Certificate" when connecting to a web service from my Android app which is hosted on a server with an SSL certificate by Thawte CA.

Please bear in mind that I'm in way over my head when it comes to the server side of things, but a bunch of solutions I've seen for this on SO involve blatantly trusting any certificate. Most of the solutions are from 2010-early 2011.

I have two questions, specifically:

  1. How / where do I check if Thawte CA is a trusted CA for Android
  2. How do I solve this issue?

Thanks!

Sid
  • 9,508
  • 5
  • 39
  • 60

2 Answers2

4

For anyone looking for an answer: After loads of time spent scouring SO and the internet, I learned that there could be two possible causes:

  1. Improper installation of an intermediate certificate (which wasn't the case here)
  2. Incorrect ordering of the certificate chain (this was the case here).

The answer that really helped me out was by SO user bdc on this thread: Apache HttpClient on Android producing CertPathValidatorException (IssuerName != SubjectName).

In short, he suggested to check the chain ordering by running the openssl s_client -connect server.domain.com:443. Running this command on Mac Terminal with the domain name of the server where the API was hosted showed that the chain ordering was incorrect.

Once the ordering was fixed on the server side, voila! Everything works A-OK!

Community
  • 1
  • 1
Sid
  • 9,508
  • 5
  • 39
  • 60
1

Totally agree with @Sid here. Please don't add any spurious klugey code on android to bypass SSL exceptions. Totally defeats the purpose of SSL.

For anyone having issues connecting over https to a tomcat server from android:

Make sure you chain with the root and intermediate certificates of your CA. I didnt generate the private key used create the CSR for GoDaddy, our CA, so I had to convert the key and certs to pkcs12 before importing into a keystore. Note the -chain option. Its important.

openssl pkcs12 -export -out mykey.pks -inkey private_key.key -in domain.crt -CAfile ca_intermed_root_bundle.crt -chain -name alias_name -passout stdin

(enter password through stdin)

Now, import mykey.pks into a java keystore

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore mystore.keystore -srckeystore mykey.pks -srcstoretype PKCS12 -alias alias_name

This keystore can now be used in the tomcat 8443 connector:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                keystoreFile="/path../mystore.keystore"
                keystorePass="changeit" keyAlias="alias_name"
                />

I was having repeated SSLPeerUnverifiedExceptions when connecting from android and this totally fixed it. Finally, please verify with http://www.sslshopper.com/ssl-checker.html or any other tool to check if the certificates are chained correctly.

AVM
  • 303
  • 1
  • 4
  • 15