tags:

views:

793

answers:

3
+1  Q: 

HTTPS with Self-Signed SSL Certificate Issues... Solution or better way?

All I need to do is download some basic text-based and image files from a web server that has a self-signed SSL certificate.

I have been trying to figure out how to use HttpClient to do this, but getting the SSL to work is a nightmare that seems to be way too much trouble for such a simple task.

Is there a better way to perform these file downloads? Perhaps through a WebView or Browser feature? Reinventing the wheel of making a simple HTTPS GET request is a major pain, and is significantly holding up my development schedule.

A: 

I think you could do it with the HttpsURLConnection. Try this out:

URL url = new URL("https://yourhttpsurl.com");
URLConnection conn = url.openConnection(); // should return a HttpsURLConnection

BufferedReader in = new BufferedReader(
        new InputStreamReader(conn.getInputStream()));
String str;
while ((str = in.readLine()) != null) {
    // Process str
}

in.close();

I just did the very same task, but I needed handling of cookies as well (and I was lazy) so I actually used HttpClient in the Android app. I know it's a huge overkill but I believe that most of the HttpClient code was unused (that is, unreferenced and thus not compiled) in my small app, because the resulting .apk was just a few kb large.

Edit: It just struck me I've only tested the first approach with properly signed centificates.

aioobe  2010-04-29 21:48:18
Yeah, this doesn't work with self-signed certificates.
stormin986  2010-05-04 23:05:02
+3  A: 

I would recommend getting a non-self-signed cert for the server.

That being said, here is an example of creating an SSLSocketFactory that supports self-signed certs, and here is an example of using an SSLSocketFactory with HttpClient.

CommonsWare  2010-04-29 21:51:00
When I try to combine these two, I get the following problem. The first example you give related to self-signed certificates is using the `javax.net.ssl.SSLContext.getSocketFactory()`, but in the second example on how to integrate it, a `new Scheme()` requires a socket factory of the type org.apache.http.conn.scheme.SocketFactory. Is there a need to transform one to the other or are they identical/fully compatible? I currently am just casting the result of my `javax.*.SSLSocketFactory getSocketFactory()` function to an `org.apache.*.SocketFactory` and the compiler isn't complaining...
stormin986  2010-04-30 00:12:22
Yeah doing that is giving me a ClassCastException at runtime. Is there any way to make these two things compatible?
stormin986  2010-04-30 00:31:00
Urk. I hate it when these guys name stuff the same. Nope, I have no clue. HttpClient is "opinionated software", and they don't like self-signed certs, so hence we're kinda on our own. Sorry.
CommonsWare  2010-04-30 00:38:47
Found one! http://stackoverflow.com/questions/995514/https-connection-android uses HttpsURLConnection and shows how to bypass the certificate check.
stormin986  2010-04-30 02:15:05
And here's another good one for DefaultHttpClient: http://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android
stormin986  2010-05-01 16:49:51
A: 

I found two great examples of how to accept self-signed SSL certificates, one each for HttpsURLConnection and HttpClient.

HttpsURLConnection solution: http://stackoverflow.com/questions/995514/https-connection-android

HttpClient solution: http://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android

stormin986  2010-05-04 23:07:03

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL