For the client cert part, I would add a wrapper around the X509KeyManager/X509ExtendedKeyManager instance to see if the SSLSocket is calling you to ask for client certificate during handshake. Looks like someone on stack overflow suggested this. I'd also make sure with wireshark or tcpdump that the server is requesting a client certificate with a CertificateRequest message.
But I'm guessing it is not sending the client cert because the client devices it doesn't trust the server. so I'd add a wrapper on the X509TrustManager to log as well to see the chain that the SSLSocket is trying to validate. I assume you aren't using an intermediate CA? again I'd look with wireshark to see what certs the server is sending to the client. -bri On Wed, Jul 2, 2014 at 3:16 PM, Derek Cole <[email protected]> wrote: > Hello, > > I hate to cross-post, but I have posted a question here: > http://stackoverflow.com/questions/24518570/client-certificate-not-sent-from-android-to-ssl-server > > Basically, I am trying to use my own CA, and my own cert signed by that CA > to connect to a server that has a cert signed by that same CA. I am unable > to get my android client to send a cert to the server. What am I doing > wrong? > > I am using a SSL utility class to help manage the keystores. > https://github.com/ubergeek42/weechat-android/blob/master/weechat-android/src/main/java/com/ubergeek42/WeechatAndroid/service/SSLHandler.java > > My basic idea is that I am loading my CA's cert into a keystore, and then > using that keystore to initialize a TrustManagerFactory. > > I then make another keystore, load in my client-cert, and then initialize a > KeyManagerFactory with that store. > > Finally, I create the socket factory with those trust and key managers: > > sslCertSocketFactory = (SSLCertificateSocketFactory) > SSLCertificateSocketFactory.getDefault(100000); > sslCertSocketFactory.setKeyManagers(kmf.getKeyManagers()); > sslCertSocketFactory.setTrustManagers(tmf.getTrustManagers()); > > > Now, whenever I use that factory to creatSocket(), I get a > SSLHandshakeException on the android client, and the server simply reports > the peer did not send a cert. > > The whole point was to be able to use > sslCertSocketFactory.setHostname(socket, "mysniname.local"); > > To set the SNI servername so that my server knows what to do with the > incoming connection. > > I have been stuck for days, any help is appreciated. If it is possible to > produce my end result (the SNI functionality) with something else entirely, > I am all ears. > > Thanks! > > -Derek > > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
