Hello,
I have to establish ssl connection to https://xdm.telefonica.es:8096/
(on Android 2.2+)
Certificate chain of the server is (openssl s_client -connect
xdm.telefonica.es:8096):
[...]
Certificate chain
0 s:/C=ES/ST=Madrid/L=Madrid/O=TELEFONICA MOVILES ESPANA
SA./OU=Desarrollo de Servicios/CN=xdm.telefonica.es
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International
Server CA - G3
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
[...]
Translating it into user-friendly form (CN, serial number):
0: xdm.telefonica.es, 0x64 4E 91 4B 13 33 CF 6C 1C 08 D2 9C 21 E0 C4 75
1: VeriSign Class 3 International Server CA - G3, 0x64 1B E8 20 CE 02 08
13 F3 2D 4D 2D 95 D6 7E 67
2: VeriSign Class 3 Public Primary Certification Authority - G5, 0x18 DA
D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
I extracted (adb pull /system/etc/security/cacerts.bks 2_3_4cacerts.bks)
cacerts.bks from my 2.3.4 Galaxy SII and listed all root certificates
(keytool -list -v -keystore 2_3_4cacerts.bks -storepass changeit
-storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath
bcprov-jdk16-146.jar). It turns out that root certificate (2:) is listed
as trusted, but intermediate one (1:) is not on the list. I checked also
Android 3.2: result is the same.
Simple code snippet:
DefaultHttpClient hc = new DefaultHttpClient();
hc.execute(new HttpGet("https://xdm.telefonica.es:8096/";));
returns famous javax.net.ssl.SSLPeerUnverifiedException: No peer
certificate.
For comparison, for uri "https://mail.google.com"; result is HTTP/1.1 200 OK.
Which one of the following directions should I take:
1. attach custom keystore to my application (as raw resource)
containing 0: certificate?
1. it would be troublesome, as 0: is issued for few months only and
the application would need updating on clients' devices
2. attach custom keystore to my application (as raw resource)
containing 1: certificate? would it fix my problem? (If yes, I guess
it would be the most preferable one?)
3. ask server owner to get new certificate that would be signed using
android-trusted certificate (we cooperate, so I guess it could be
possible)?
4. any other approach? - apart from dismissing certificate check, that
is not acceptable
Thanks in advance,
polishcode
--
The best thing about UDP jokes is that I don't care if you get them or not
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
