Safely fixing: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
It turns out my code was fine and the problem was that the server was not returning the full certificate chain. For more information see this SO post and this superuser post:
SSL certificate is not trusted - on mobile only
https://superuser.com/questions/347588/how-do-ssl-chains-work
error javax.net.ssl.SSLPeerUnverifiedException: No peer certificate and SSLNullSession.java:104
The server you connected to doesn't have a great SSL certificate. A quick search to StackOverflow forwarded me to this great question and answers: Safely fixing: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
Error in android application: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
Indeed, the problem was that my Android SDK does not support SNI .
It helped me:
Fixing javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
I fought a lot with this problem.
It appeared that the server I was sending to has a virtual host (hosted on GAE). On Android 5.0 this issue is solved, but bellow Android 5.0 you have to add SNI support yourself.
Here is an explanation of this problem http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache.
So to make my code work I had to change SslSocketFactory class from the tutorial. It did the magic.
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.params.HttpParams;
import android.annotation.TargetApi;
import android.net.SSLCertificateSocketFactory;
import android.os.Build;
class SslSocketFactory extends SSLSocketFactory {
InputStream mkeyStore;
String mkeyStorePassword;
public SslSocketFactory(InputStream keyStore, String keyStorePassword) throws KeyManagementException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException{
super(null);
mkeyStore=keyStore;
mkeyStorePassword=keyStorePassword;
}
@Override
public Socket connectSocket(Socket s, String host, int port, InetAddress localAddress, int localPort, HttpParams params) throws IOException {
return null;
}
@Override
public Socket createSocket() throws IOException {
return null;
}
@Override
public boolean isSecure(Socket s) throws IllegalArgumentException {
if (s instanceof SSLSocket) {
return ((SSLSocket) s).isConnected();
}
return false;
}
@TargetApi(Build.VERSION_CODES.JELLY_BEAN_MR1)
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
SSLSocket sslSocket = null;
if (autoClose) {
socket.close();
}
SSLCertificateSocketFactory sslSocketFactory = (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0, null);
try {
sslSocketFactory.setTrustManagers(new TrustManager[] { new SsX509TrustManager( mkeyStore, mkeyStorePassword) });
} catch (GeneralSecurityException e1) {
e1.printStackTrace();
}
sslSocket = (SSLSocket) sslSocketFactory.createSocket(InetAddress.getByName(host), port);
sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols());
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
sslSocketFactory.setHostname(sslSocket, host);
} else {
try {
java.lang.reflect.Method setHostnameMethod = sslSocket.getClass().getMethod("setHostname", String.class);
setHostnameMethod.invoke(sslSocket, host);
} catch (Exception e) {
}
}
return sslSocket;
}
}
SSL No peer certificate Android
Found the answer to make the SSLSocket with private class, like this?
public class MySSLSocketFactory extends SSLSocketFactory {
private SSLContext sslContext = SSLContext.getInstance("TLS");
private MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
super(truststore);
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
sslContext.init(null, new TrustManager[] { tm }, null);
}
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}
@Override
public Socket createSocket() throws IOException {
return sslContext.getSocketFactory().createSocket();
}
}
Problems with https (No peer certificate) in android
Finally I have solved https problem. As I fought the main problem was in server, concretely in certificate.
Android supports only “BKS” certificate and that’s was the reason that we can’t get response from the
server. In order to solve this issue I have read more then 30 articles and finally found solution.
The steps which I done to solve this issue you can see below:
First thing that I do was generating .bks keystore file from our fidoserver.crt certificate, in order to do that I have read this article and do following:
- Open cmd
- Go to JDK folder “cd X:\Programs\Java\Jdk6\bin”
- Call following command:
keytool -import -alias tomcat -file X://KeyStore/fidoserver.crt
-keypass password - keystore X://KeyStore/keystore.bks -storetype BKS -storepass 222222 -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath
X://KeyStore/bcprov-jdk16-146.jar
Before running this command I have download Bouncy Castle .jar file and put it in the folder with certificates. After doing this all steps I get keystore.bks file which is the right certificate file for Android application. I put this file in Androids mnc/sdcard folder. In java code I have write following code to read that keystore.bbk file
KeyStore trustStore = KeyStore.getInstance( "BKS" /*KeyStore.getDefaultType()*/ );
FileInputStream instream = new FileInputStream(new File("/mnt/sdcard/keystore.bks"));
try {
trustStore.load(instream, "222222".toCharArray());
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} finally {
try { instream.close(); } catch (Exception ignore) {}
}
// Create socket factory with given keystore.
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
Scheme sch = new Scheme("https", socketFactory, 443);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpget = new HttpGet("https://10.2.20.20/fido/EzPay/login.php");
System.out.println("executing request " + httpget.getRequestLine());
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
}
// Print html.
BufferedReader in = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));
String line = "";
while ((line = in.readLine()) != null) {
System.out.println(line);
}
in.close();
This all allow m to load our certificate with given password 222222 (password we give when create a keystore with keytool).
After this all my test application start to work correctly. Now I can send request to https and get response from it. I have tested
application with FIDO server, everything works great! I think on Monday I will make some changes in EzPay application and it
will start working with https connections.
References
- Using TLS with Apache Tomcat and Android
- SSL Verification for Android Applications
- KeyStore
- Android: Trusting SSL certificates
- Bouncy Castle
- Android/Java — How to Create HTTPS Connection?
Related Topics
Android: Implementing Progressbar and "Loading..." for Endless List Like Android Market
Creating Custom Lockscreen in Android
Android Get Current Locale, Not Default
Ndk Resolution Outcome: Project Settings: Gradle Model Version=5.4.1, Ndk Version Is Unknown Error
How to Save Image in Android Gallery
Android Java.Lang.Noclassdeffounderror
How to Make a Horizontal Listview in Android
Googlesignatureverifier Signature Not Valid Message (Google Play Services 9.0.0)
Proguard Causing Runtimeexception (Unmarshalling Unknown Type Code) in Parcelable Class
Android:Call Activity of Another Application
Gradle Dsl Method Not Found: 'Runproguard'
Android:Locationmanager VS Google Play Services
Android Gradle Apache Httpclient Does Not Exist
Show Icon in Actionbar/Toolbar with Appcompat-V7 21