Thank you very much for the quick reply. I am actually using Weberknecht websocket implementation to create a secure websocket. It in turns uses SSLSocketFactory.getDefault() which returns android.net.SSLCertificateSocketFactory. This leaves me with 2 questions if you don't mind.
1. What other options are there to create a pure SSL socket, other then SSLSocketFactory? 2. Coming from an JEE background I am used to keeping the things that change per environment (dev/test/prod) in the environment and not in the code. The custom keystore approach seems to introduce dev environment requirements into source code, not only the part where you initialise it, but also the actually binary for deployment. Is this not seen as problematic in the Android world? (There are other examples like server urls that might change that has a similar issue in my mind) Thanks again for taking the time to help me. On Monday, 5 November 2012 20:25:10 UTC+2, Brian Carlstrom wrote: > > On Mon, Nov 5, 2012 at 9:27 AM, Frans van Niekerk > <[email protected] <javascript:>> wrote: > > According to the android.net.SSLCertificateSocketFactory > > I wouldn't recommend using that class or anything related to it if you > can avoid it. > > The Android HttpsURLConnection documentation > > http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html > has an example of making an application specific X509TrustManager. If > you provide it a KeyStore containing your self-signed cert, it will > trust it. > > -bri > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/wKa5AM1jV-0J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
