tags:

views:

195

answers:

1
Q: 

Android DefaultHttpClient accept all certificates for SSL session help

I am attempting to connect to a local HTTPS server using the apache DefaultHttpClient on a Android device.

 DefaultHttpClient httpclient = new DefaultHttpClient();
 HttpPost httppost = new HttpPost("http://192.168.1.121:4113/services");
 ... header and content filling in ...
 HttpResponse response = httpclient.execute(httppost);

I am getting an error of "javax.net.ssl SSLException: Not trusted server certificate" when the .execute runs. I want to simply allow any certificate to work, regardless of if it is or is not in the android key chain.

I have spent about 40 hours researching and trying to figure out a workaround for this issue. I have seen many examples of how to do this but none so far have worked in Android; they seem to only work for JAVA. Does anyone know how to configure, or override the certificate validation used by the Apache HttpClient in Android so that it will just approve all certificates for a DefaultHttpClient connection?

I thank you for your kind response

A: 

Look at this tutorial http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/

The tutorial is based on Apache's HttpClient and explains how to use the SSLSocketFactory to trust the defined certificates in your own keystore (also explained how you can create it with the BouncyCastle provider).

I've tested it and it works great. In my opinion this is the secure way.

saxos  2010-10-23 21:25:14
Thank you for trying but that is not what I want to do. I do not want to add the certificate into my keystore. I fully realize the security implications of what I am doing. This is for a commercial product and I can't expect the customers to know how to perform those actions. I have found several examples of solving this by adding the cert to the key store but noone has been able to just bypass it entirely.
metalideath  2010-10-24 16:43:27
I see. And switching to the plain old java.net libraries is not an option for you? With those you can easily accept all certs.Maybe this helps: http://stackoverflow.com/questions/2703161/apache-httpclient-4-0-ignore-ssl-certificate-errorsDidn't try it.
saxos  2010-10-24 21:42:42
Just forgot to mention: http://mobile.synyx.de/2010/06/android-and-self-signed-ssl-certificates/This guy here is implementing an own SSLSocketFactory, which should accept all self-signed certs.
saxos  2010-10-24 21:54:44

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP