Android SSL HTTP Request using self signed cert and CA

Andy Davies picture Andy Davies · Oct 17, 2013 · Viewed 8.9k times · Source

I have an android application that is connecting to an SSL web service that we host. The Web server is apache and has its own CA that we created and a self signed SSL certificate.

I have imported our CA certificate onto the Android tablet in the User Trusted certificates section in Security.

I have tested access to the web server and can confirm that the web service certificate shows as valid (screenshot below)

Valid certificate

Here is the certificate in the security settings:

Trusted certificate

Now when I try and access the webservice in my application I get the "No Peer Certificate" exception being triggered.

This is the SSL implementation simplified:

public class MainActivity extends Activity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);

    // allows network on main thread (temp hack)
    StrictMode.ThreadPolicy policy = new StrictMode.ThreadPolicy.Builder().permitAll().build(); 
    StrictMode.setThreadPolicy(policy);

    SchemeRegistry schemeRegistry = new SchemeRegistry();
    //schemeRegistry.register(new Scheme("https", SSLSocketFactory.getSocketFactory(), 443));
    schemeRegistry.register(new Scheme("https", newSSLSocketFactory(), 443));


    HttpParams params = new BasicHttpParams();

    SingleClientConnManager mgr = new SingleClientConnManager(params, schemeRegistry);

    HttpClient client = new DefaultHttpClient(mgr, params);

    HttpPost httpRequest = new HttpPost("https://our-web-service.com");

    try {
        client.execute(httpRequest);
    } catch (Exception e) {
        e.printStackTrace(); //
    }
}

/* 
 * Standard SSL CA Store Setup //
 */
private SSLSocketFactory newSSLSocketFactory() {

    KeyStore trusted;

    try {
        trusted = KeyStore.getInstance("AndroidCAStore");
        trusted.load(null, null);
        Enumeration<String> aliases = trusted.aliases();

        while (aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            X509Certificate cert = (X509Certificate) trusted.getCertificate(alias);
            Log.d("", "Alias="+alias);
            Log.d("", "Subject DN: " + cert.getSubjectDN().getName());
            Log.d("", "Issuer DN: " + cert.getIssuerDN().getName());
        }      

        SSLSocketFactory sf = new SSLSocketFactory(trusted);
        sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);

        return sf;

    } catch (Exception e) {
        // TODO Auto-generated catch block
        throw new AssertionError(e);
    }  
}

}

The while loop just spits out the certificates and I can see my own CA in the logs. But I still get the "No Peer Certificate" exception.

10-17 18:29:01.234: I/System.out(4006): No peer certificate

Do I have to manually load my CA certificate somehow in this implementation?

Answer

Andy Davies picture Andy Davies · Oct 21, 2013

Solved by using: HttpsURLConnection

URLConnection conn = null;
URL url = new URL(strURL);
conn = url.openConnection();
HttpsURLConnection httpsConn = (HttpsURLConnection) conn;

This seems to work fine with user installed CA certificates.