I'm developing an android application on v13 target sdk and I'm trying to
secure connection from android device to my tomcat server v6 with SSL
enabling also clientAuth. I'm using self-signed certificates.
Only for introduce my project (I think the error is not due to this): I'm
using spring-android RestTemplate using a custom ClientHttpRequestFactory.
Because of android sdk version I'm sure that spring will use
HttpUrlConnection and not HttpClient! So I'm extending
SimpleclientHttpRequestFactory and overriding the openConnectionMethod. I
need to do this to trust my self-signed certificates and to use my client
authentication certificate!
So I init my sslContext and set to HttpURLConnection in this way:
private SSLSocketFactory getSSLSocketFactory() throws KeyStoreException,
KeyManagementException, NoSuchAlgorithmException, CertificateException,
IOException, UnrecoverableKeyException{
final InputStream trustStoreLocation =
mContext.getResources().openRawResource(R.raw.trust_store);
final String trustStorePassword = "........";
final InputStream keyStoreLocation =
mContext.getResources().openRawResource(R.raw.key_store);
final String keyStorePassword = "........";
final KeyStore trustStore = KeyStore.getInstance("BKS");
trustStore.load(trustStoreLocation, trustStorePassword.toCharArray());
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(keyStoreLocation, keyStorePassword.toCharArray());
final TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
final KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, keyStorePassword.toCharArray());
final SSLContext sslCtx = SSLContext.getInstance("TLS");
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new
SecureRandom());
return sslCtx.getSocketFactory();
}
@Override
protected HttpURLConnection openConnection(URL url, Proxy proxy) throws
IOException {
final HttpURLConnection httpUrlConnection = super.openConnection(url,
proxy);
if (url.getProtocol().toLowerCase().equals("https")) {
try {
((HttpsURLConnection)httpUrlConnection).setSSLSocketFactory(getSSLSocketFactory());
((HttpsURLConnection)httpUrlConnection).setHostnameVerifier(new
NullHostnameVerifier());
} catch (Exception e) {
if (LogConfig.ERROR_LOGS_ENABLED){
Log.e(LOG_TAG, e.getMessage());
}
}
return httpUrlConnection;
}
private static class NullHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
When tomcat clientAuth is disabled it works fine.
But when tomcat client authentication is enabled, trying to establish
connection from android device I got this exception:
error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message
(external/openssl/ssl/s3_pkt.c:1232 0x19bf40:0x00000003); nested exception is
javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x182c70:
Failure in SSL library, usually a protocol error
I've tryed to install the client certificate on my web browser for testing
purpose and everything goes ok! So I think it's a problem of my android
application!
Have you ever got this kind of exception?
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/android-security-discuss/-/82sSkozTixAJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
