accepting HTTPS connections with self-signed certificates

Question

I m trying to make HTTPS connections  using HttpClient lib  but the problem is that  since the certificate isn t signed by a recognized Certificate Authority  CA  like Verisign GlobalSIgn  etc   listed on the set of Android Trusted Certificates  I keep getting javax net ssl SSLException  Not trusted server certificate   I ve seen  solutions where you simply accept all certificates  but what if I want to ask the user    I want to get a dialog similar to that of the browser  letting the user decide to continue or not  Preferably I d like to use the same certificatestore as the browser  Any ideas

User · Answer

The following main steps are required to achieve a secured connection from Certification Authorities which are not considered as trusted by the android platform.

As requested by many users, I've mirrored the most important parts from my blog article here:

Grab all required certificates (root and any intermediate CA’s)
Create a keystore with keytool and the BouncyCastle provider and import the certs
Load the keystore in your android app and use it for the secured connections (I recommend to use the Apache HttpClient instead of the standard java.net.ssl.HttpsURLConnection (easier to understand, more performant)

Grab the certs

You have to obtain all certificates that build a chain from the endpoint certificate the whole way up to the Root CA. This means, any (if present) Intermediate CA certs and also the Root CA cert. You don’t need to obtain the endpoint certificate.

Create the keystore

Download the BouncyCastle Provider and store it to a known location. Also ensure that you can invoke the keytool command (usually located under the bin folder of your JRE installation).

Now import the obtained certs (don’t import the endpoint cert) into a BouncyCastle formatted keystore.

I didn’t test it, but I think the order of importing the certificates is important. This means, import the lowermost Intermediate CA certificate first and then all the way up to the Root CA certificate.

With the following command a new keystore (if not already present) with the password mysecret will be created and the Intermediate CA certificate will be imported. I also defined the BouncyCastle provider, where it can be found on my file system and the keystore format. Execute this command for each certificate in the chain.

keytool -importcert -v -trustcacerts -file "path_to_cert/interm_ca.cer" -alias IntermediateCA -keystore "res/raw/mykeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret

Verify if the certificates were imported correctly into the keystore:

keytool -list -keystore "res/raw/mykeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret

Should output the whole chain:

RootCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
IntermediateCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 98:0F:C3:F8:39:F7:D8:05:07:02:0D:E3:14:5B:29:43

Now you can copy the keystore as a raw resource in your android app under res/raw/

Use the keystore in your app

First of all we have to create a custom Apache HttpClient that uses our keystore for HTTPS connections:

import org.apache.http.*

public class MyHttpClient extends DefaultHttpClient {

    final Context context;

    public MyHttpClient(Context context) {
        this.context = context;
    }

    @Override
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        // Register for port 443 our SSLSocketFactory with our keystore
        // to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));
        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("BKS");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = context.getResources().openRawResource(R.raw.mykeystore);
            try {
                // Initialize the keystore with the provided trusted certificates
                // Also provide the password of the keystore
                trusted.load(in, "mysecret".toCharArray());
            } finally {
                in.close();
            }
            // Pass the keystore to the SSLSocketFactory. The factory is responsible
            // for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);
            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

We have created our custom HttpClient, now we can use it for secure connections. For example when we make a GET call to a REST resource:

// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://www.mydomain.ch/rest/contacts/23");
// Execute the GET call and obtain the response
HttpResponse getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();

That's it ;)

User · Answer

None of these fixes worked for my develop platform targeting SDK 16  Release 4 1 2  so I found a workaround   My app stores data on server using  http   www example com page php data somedata   Recently page php was moved to  https   www secure-example com page php  and I keep getting  javax net ssl SSLException  Not trusted server certificate    Instead of accepting all certificates for only a single page  starting with this guide I solved my problem writing my own page php published on  http   www example com page php     lt  php  caronte   https   www secure-example com page php     function caronte  url           build curl request      ch   curl init        foreach    POST as  a   gt   b             post htmlentities  a   htmlentities  b             curl setopt  ch  CURLOPT URL  url       curl setopt  ch  CURLOPT POST  1       curl setopt  ch  CURLOPT POSTFIELDS http build query  post            receive server response         curl setopt  ch  CURLOPT RETURNTRANSFER  true        server output   curl exec   ch       curl close   ch        echo  server output       gt

User · Answer

This is problem resulting from lack of SNI Server Name Identification  support inA ndroid 2 x  I was struggling with this problem for a week until I came across the following question  which not only gives a good background of the problem but also provides a working and effective solution devoid of any security holes     39 No peer certificate  39  error in Android 2 3 but NOT in 4

User · Answer

Google recommends the usage of Android Volley for HTTP HTTPS connections  since that HttpClient is deprecated  So  you know the right choice     And also  NEVER NUKE SSL Certificates  NEVER      To nuke SSL Certificates  is totally against the purpose of SSL  which is promoting security  There s no sense of using SSL  if you re planning to bomb all SSL certificates that comes  A better solution would be creating a custom TrustManager on your App   using Android Volley for HTTP HTTPS connections  Here s a Gist which I created  with a basic LoginApp  performing HTTPS connections  using a Self-Signed Certificate on the server-side  accepted on the App  Here s also another Gist that may help  for creating Self-Signed SSL Certificates for setting up on your Server and also using the certificate on your App  Very important  you must copy the  crt file which was generated by the script above  to the  quot raw quot  directory from your Android project

User · Answer

If you have a custom self-signed certificate on server that is not there on device  you can use the below class to load it and use it on client side in Android   Place the certificate   crt file in  res raw so that it is available from R raw    Use below class to obtain an HTTPClient or HttpsURLConnection which will have a socket factory using that certificate    package com example customssl   import android content Context  import org apache http client HttpClient  import org apache http conn scheme PlainSocketFactory  import org apache http conn scheme Scheme  import org apache http conn scheme SchemeRegistry  import org apache http conn ssl AllowAllHostnameVerifier  import org apache http conn ssl SSLSocketFactory  import org apache http impl client DefaultHttpClient  import org apache http impl conn tsccm ThreadSafeClientConnManager  import org apache http params BasicHttpParams  import org apache http params HttpParams   import javax net ssl HttpsURLConnection  import javax net ssl SSLContext  import javax net ssl TrustManagerFactory  import java io IOException  import java io InputStream  import java net URL  import java security KeyStore  import java security KeyStoreException  import java security NoSuchAlgorithmException  import java security cert Certificate  import java security cert CertificateException  import java security cert CertificateFactory   public class CustomCAHttpsProvider                   Creates a   link org apache http client HttpClient  which is configured to work with a custom authority        certificate                 param context       Application Context         param certRawResId  R raw id of certificate file    crt   Should be stored in  res raw          param allowAllHosts If true then client will not check server against host names of certificate          return Http Client          throws Exception If there is an error initializing the client              public static HttpClient getHttpClient Context context  int certRawResId  boolean allowAllHosts  throws Exception                build key store with ca certificate         KeyStore keyStore   buildKeyStore context  certRawResId               init ssl socket factory with key store         SSLSocketFactory sslSocketFactory   new SSLSocketFactory keyStore               skip hostname security check if specified         if  allowAllHosts                sslSocketFactory setHostnameVerifier new AllowAllHostnameVerifier                           basic http params for client         HttpParams params   new BasicHttpParams                normal scheme registry with our ssl socket factory for  https          SchemeRegistry schemeRegistry   new SchemeRegistry            schemeRegistry register new Scheme  http   PlainSocketFactory getSocketFactory    80            schemeRegistry register new Scheme  https   sslSocketFactory  443                create connection manager         ThreadSafeClientConnManager cm   new ThreadSafeClientConnManager params  schemeRegistry               create http client         return new DefaultHttpClient cm  params                         Creates a   link javax net ssl HttpsURLConnection  which is configured to work with a custom authority        certificate                 param urlString     remote url string          param context       Application Context         param certRawResId  R raw id of certificate file    crt   Should be stored in  res raw          param allowAllHosts If true then client will not check server against host names of certificate          return Http url connection          throws Exception If there is an error initializing the connection              public static HttpsURLConnection getHttpsUrlConnection String urlString  Context context  int certRawResId                                                             boolean allowAllHosts  throws Exception               build key store with ca certificate         KeyStore keyStore   buildKeyStore context  certRawResId               Create a TrustManager that trusts the CAs in our KeyStore         String tmfAlgorithm   TrustManagerFactory getDefaultAlgorithm            TrustManagerFactory tmf   TrustManagerFactory getInstance tmfAlgorithm           tmf init keyStore               Create an SSLContext that uses our TrustManager         SSLContext sslContext   SSLContext getInstance  TLS            sslContext init null  tmf getTrustManagers    null               Create a connection from url         URL url   new URL urlString           HttpsURLConnection urlConnection    HttpsURLConnection  url openConnection            urlConnection setSSLSocketFactory sslContext getSocketFactory                 skip hostname security check if specified         if  allowAllHosts                urlConnection setHostnameVerifier new AllowAllHostnameVerifier                        return urlConnection             private static KeyStore buildKeyStore Context context  int certRawResId  throws KeyStoreException  CertificateException  NoSuchAlgorithmException  IOException              init a default key store         String keyStoreType   KeyStore getDefaultType            KeyStore keyStore   KeyStore getInstance keyStoreType           keyStore load null  null               read and add certificate authority         Certificate cert   readCert context  certRawResId           keyStore setCertificateEntry  ca   cert            return keyStore             private static Certificate readCert Context context  int certResourceId  throws CertificateException  IOException               read certificate resource         InputStream caInput   context getResources   openRawResource certResourceId            Certificate ca          try                  generate a certificate             CertificateFactory cf   CertificateFactory getInstance  X 509                ca   cf generateCertificate caInput             finally               caInput close                       return ca             Key points    Certificate objects are generated from  crt files  A default KeyStore is created  keyStore setCertificateEntry  ca   cert  is adding certificate to key store under alias  ca   You modify the code to add more certificates  intermediate CA etc   Main objective is to generate a SSLSocketFactory which can then be used by HTTPClient or HttpsURLConnection  SSLSocketFactory can be configured further  for example to skip host name verification etc     More information at   http   developer android com training articles security-ssl html

User · Answer

The top answer didn  t work for me  After some investigation I found the required information on  Android Developer   https   developer android com training articles security-ssl html SelfSigned  Creating an empty implementation of X509TrustManager did the trick   private static class MyTrustManager implements X509TrustManager         Override     public void checkClientTrusted X509Certificate   chain  String authType           throws CertificateException                   Override     public void checkServerTrusted X509Certificate   chain  String authType          throws CertificateException                   Override     public X509Certificate   getAcceptedIssuers                 return null                 HttpsURLConnection conn    HttpsURLConnection  url openConnection    try          Create an SSLContext that uses our TrustManager     SSLContext context   SSLContext getInstance  TLS        TrustManager   tmlist    new MyTrustManager         context init null  tmlist  null       conn setSSLSocketFactory context getSocketFactory       catch  NoSuchAlgorithmException e        throw new IOException e     catch  KeyManagementException e        throw new IOException e     conn setRequestMethod  GET    int rcode   conn getResponseCode      Please be aware that this empty implementation of TustManager is just an example and using it in a productive environment would cause a severe security threat

User · Answer

Jan 19th  2020 Self Signed Certificate ISSUE FIX   To play video   image   calling webservice for any self signed certificate or connecting to any unsecured url just call this method before performing any action   it will fix your issue regarding certificate issue    KOTLIN CODE    private fun disableSSLCertificateChecking             val hostnameVerifier   object  HostnameVerifier               override fun verify s String  sslSession  SSLSession  Boolean                   return true                                 val trustAllCerts   arrayOf lt TrustManager gt  object  X509TrustManager               override fun getAcceptedIssuers    Array lt X509Certificate gt                    TODO  not implemented     To change body of created functions use File   Settings   File Templates                               val acceptedIssuers Array lt X509Certificate gt    null              Throws CertificateException  class              override fun checkClientTrusted arg0 Array lt X509Certificate gt   arg1 String      Not implemented                            Throws CertificateException  class              override fun checkServerTrusted arg0 Array lt X509Certificate gt   arg1 String      Not implemented                                  try                       val sc   SSLContext getInstance  TLS               sc init null  trustAllCerts  java security SecureRandom                HttpsURLConnection setDefaultSSLSocketFactory sc getSocketFactory                HttpsURLConnection setDefaultHostnameVerifier hostnameVerifier                    catch  e  KeyManagementException                e printStackTrace                     catch  e  NoSuchAlgorithmException                e printStackTrace

User · Answer

Here s how you can add additional certificates to your KeyStore to avoid this problem  Trusting all certificates using HttpClient over HTTPS  It won t prompt the user like you ask  but it will make it less likely that the user will run into a  Not trusted server certificate  error

User · Answer

The first thing you need to do is to set the level of verification  Such levels is not so much    ALLOW ALL HOSTNAME VERIFIER BROWSER COMPATIBLE HOSTNAME VERIFIER STRICT HOSTNAME VERIFIER   Although the method setHostnameVerifier   is obsolete for new library apache  but for version in Android SDK is normal  And so we take ALLOW ALL HOSTNAME VERIFIER and set it in the method factory SSLSocketFactory setHostnameVerifier     Next  You need set our factory for the protocol to https  To do this  simply call the SchemeRegistry register   method   Then you need to create a DefaultHttpClient with SingleClientConnManager  Also in the code below you can see that on default will also use our flag  ALLOW ALL HOSTNAME VERIFIER  by the method HttpsURLConnection setDefaultHostnameVerifier    Below code works for me   HostnameVerifier hostnameVerifier   org apache http conn ssl SSLSocketFactory ALLOW ALL HOSTNAME VERIFIER   DefaultHttpClient client   new DefaultHttpClient     SchemeRegistry registry   new SchemeRegistry    SSLSocketFactory socketFactory   SSLSocketFactory getSocketFactory    socketFactory setHostnameVerifier  X509HostnameVerifier  hostnameVerifier   registry register new Scheme  https   socketFactory  443    SingleClientConnManager mgr   new SingleClientConnManager client getParams    registry   DefaultHttpClient httpClient   new DefaultHttpClient mgr  client getParams         Set verifier      HttpsURLConnection setDefaultHostnameVerifier hostnameVerifier       Example send http request final String url    https   encrypted google com    HttpPost httpPost   new HttpPost url   HttpResponse response   httpClient execute httpPost

User · Answer

Simplest way for create SSL certificate  Open Firefox  I suppose it s also possible with Chrome  but it s easier for me with FF   Visit your development site with a self-signed SSL certificate   Click on the certificate  next to the site name   Click on  More information   Click on  View certificate   Click on  Details   Click on  Export      Choose  X 509 Certificate whith chain  PEM    select the folder and name to save it and click  Save   Go to command line  to the directory where you downloaded the pem file and execute  openssl x509 -inform PEM -outform DM -in  pem -out  crt   Copy the  crt file to the root of the  sdcard folder inside your Android device Inside your Android device  Settings   Security   Install from storage    It should detect the certificate and let you add it to the device Browse to your development site    The first time it should ask you to confirm the security exception  That s all    The certificate should work with any browser installed on your Android  Browser  Chrome  Opera  Dolphin      Remember that if you re serving your static files from a different domain  we all are page speed bitches  you also need to add the certificate for that domain

User · Answer

I wrote small library ssl-utils-android to trust particular certificate on Android   You can simply load any certificate by giving the filename from assets directory   Usage   OkHttpClient client   new OkHttpClient    SSLContext sslContext   SslUtils getSslContextForCertificateFile context   BPClass2RootCA-sha2 cer    client setSslSocketFactory sslContext getSocketFactory

User · Answer

I was frustrated trying to connect my Android App to my RESTful service using https  Also I was a bit annoyed about all the answers that suggested to disable certificate checking altogether  If you do so  whats the point of https   After googled about the topic for a while  I finally found this solution where external jars are not needed  just Android APIs  Thanks to Andrew Smith  who posted it on July  2014          Set up a connection to myservice domain using HTTPS  An entire function    is needed to do this because myservice domain has a self-signed certificate         The caller of the function would do something like     HttpsURLConnection urlConnection   setUpHttpsConnection  https   littlesvr ca       InputStream in   urlConnection getInputStream       And read from that  in  as usual in Java        Based on code from     https   developer android com training articles security-ssl html SelfSigned     public static HttpsURLConnection setUpHttpsConnection String urlString        try                  Load CAs from an InputStream             could be from a resource or ByteArrayInputStream or              CertificateFactory cf   CertificateFactory getInstance  X 509                My CRT file that I put in the assets folder            I got this file by following these steps               Go to https   littlesvr ca using Firefox              Click the padlock More Security View Certificate Details Export              Saved the file as littlesvr crt  type X 509 Certificate  PEM              The MainActivity context is declared as             public static Context context             And initialized in MainActivity onCreate   as             MainActivity context   getApplicationContext            InputStream caInput   new BufferedInputStream MainActivity context getAssets   open  littlesvr crt             Certificate ca   cf generateCertificate caInput           System out println  ca       X509Certificate  ca  getSubjectDN                 Create a KeyStore containing our trusted CAs         String keyStoreType   KeyStore getDefaultType            KeyStore keyStore   KeyStore getInstance keyStoreType           keyStore load null  null           keyStore setCertificateEntry  ca   ca               Create a TrustManager that trusts the CAs in our KeyStore         String tmfAlgorithm   TrustManagerFactory getDefaultAlgorithm            TrustManagerFactory tmf   TrustManagerFactory getInstance tmfAlgorithm           tmf init keyStore               Create an SSLContext that uses our TrustManager         SSLContext context   SSLContext getInstance  TLS            context init null  tmf getTrustManagers    null               Tell the URLConnection to use a SocketFactory from our SSLContext         URL url   new URL urlString           HttpsURLConnection urlConnection    HttpsURLConnection url openConnection            urlConnection setSSLSocketFactory context getSocketFactory              return urlConnection            catch  Exception ex                Log e TAG   Failed to establish SSL connection to server      ex toString             return null            It worked nice for my mockup App

User · Answer

Maybe this will helpful    it works on java clients using self-signed certificates  there is no check of the certificate   Be careful and use it only for development cases because that is no secure at all    How to ignore SSL certificate errors in Apache HttpClient 4 0  Hope it will works on Android just adding HttpClient library    good luck

[android] accepting HTTPS connections with self-signed certificates

Grab the certs

Create the keystore

Use the keystore in your app

Examples related to android

Examples related to ssl

Examples related to https

Examples related to httpclient

Examples related to ca