Javax.Net.Ssl.Sslhandshakeexception: Java.Security.Cert.Certpathvalidatorexception: Trust Anchor for Certification Path Not Found

  • Home
  • Languages
  • Java
  • Javax.Net.Ssl.Sslhandshakeexception: Java.Security.Cert.Certpathvalidatorexception: Trust Anchor for Certification Path Not Found

Trust Anchor not found for Android SSL Connection

The solution of @Chrispix is dangerous! Trusting all certificates allows anybody to do a man in the middle attack! Just send ANY certificate to the client and it will accept it!

Add your certificate(s) to a custom trust manager like described in this post: Trusting all certificates using HttpClient over HTTPS

Although it is a bit more complex to establish a secure connection with a custom certificate, it will bring you the wanted ssl encryption security without the danger of man in the middle attack!

CertPathValidatorException : Trust anchor for certificate path not found - Retrofit Android

DISCLAIMER: this answer is from Jul 2015 and uses Retrofit and OkHttp from that time.

Check this link for more info on Retrofit v2 and this one for the current OkHttp methods.

Okay, I got it working using Android Developers guide.

Just as OP, I'm trying to use Retrofit and OkHttp to connect to a self-signed SSL-enabled server.

Here's the code that got things working (I've removed the try/catch blocks):

public static RestAdapter createAdapter(Context context) {
  // loading CAs from an InputStream
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  InputStream cert = context.getResources().openRawResource(R.raw.my_cert);
  Certificate ca;
  try {
    ca = cf.generateCertificate(cert);
  } finally { cert.close(); }

  // creating a KeyStore containing our trusted CAs
  String keyStoreType = KeyStore.getDefaultType();
  KeyStore keyStore = KeyStore.getInstance(keyStoreType);
  keyStore.load(null, null);
  keyStore.setCertificateEntry("ca", ca);

  // creating a TrustManager that trusts the CAs in our KeyStore
  String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
  tmf.init(keyStore);

  // creating an SSLSocketFactory that uses our TrustManager
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(null, tmf.getTrustManagers(), null);

  // creating an OkHttpClient that uses our SSLSocketFactory
  OkHttpClient okHttpClient = new OkHttpClient();
  okHttpClient.setSslSocketFactory(sslContext.getSocketFactory());

  // creating a RestAdapter that uses this custom client
  return new RestAdapter.Builder()
              .setEndpoint(UrlRepository.API_BASE)
              .setClient(new OkClient(okHttpClient))
              .build();
}

To help in debugging, I also added .setLogLevel(RestAdapter.LogLevel.FULL) to my RestAdapter creation commands and I could see it connecting and getting the response from the server.

All it took was my original .crt file saved in main/res/raw.
The .crt file, aka the certificate, is one of the two files created when you create a certificate using openssl. Generally, it is a .crt or .cert file, while the other is a .key file.

Afaik, the .crt file is your public key and the .key file is your private key.

As I can see, you already have a .cert file, which is the same, so try to use it.

PS: For those that read it in the future and only have a .pem file, according to this answer, you only need this to convert one to the other:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

PS²: For those that don't have any file at all, you can use the following command (bash) to extract the public key (aka certificate) from any server:

echo -n | openssl s_client -connect your.server.com:443 | \
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/my_cert.crt

Just replace the your.server.com and the port (if it is not standard HTTPS) and choose a valid path for your output file to be created.

Trust anchor for certification path not found and Trust anchor possible resolution

What is the default policy applied for certs in this case ?

By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default. An app can customize its own connections using base-config (for app-wide customization) or domain-config (for per-domain customization).

Will it trust any certificate set in my server?

You could trust a custom set of CAs instead of the platform default.
For more details about this, please check the document. https://developer.android.com/training/articles/security-config#CustomTrust


Related Topics

How to Change Webservice Url Endpoint

Php's Strtotime() in Java

How to Download Older Google Play Services

How to Populate a Drop Down with a List Using Thymeleaf and Spring

Getting Jsoup to Support Dynamically Generated HTML by JavaScript

Remove Padding/Margin from Javafx Label

Java Compiler for Less CSS

Android: Dex Cannot Parse Version 52 Byte Code

Unobtrusive Way to Combine and Compress JavaScript/CSS for Java/Spring/Maven Applications

How to Clear the (Css) Visited History of an Android Webview

Selenium Webdriver - Getcssvalue() Method

Dynamically Add CSS Stylesheets in Javafx

Duplicated Entries in Listview

Universal Way to Write to External Sd Card on Android

How to Use Okhttp to Upload a File

Dynamic Listview in Android App

How to Execute Webui Feature File Against Multiple Browsers Using Parallel Runner or Distributed Testing

Android Simpledateformat, How to Use It


Leave a reply



Submit