The issue was that I forgot to add truststore to my server. (Both my certificates are self-signed.) Hence my server simply didn't take my certificate seriously enough. :)
On Monday, March 9, 2015 at 2:27:50 AM UTC+1, Brian Carlstrom wrote: > > See "Beginning Cryptography with Java" by David Hook? Besides JKS vs > BKS, there doesn't seem to be anything Android specific to your > question. > > -bri > > On Sat, Mar 7, 2015 at 8:55 AM, Jaroslav Záruba > <[email protected] <javascript:>> wrote: > > I'm dealing with the same issue, and the PKCS12 solution does not seem > to > > cure it for me. > > > > Do both keyStore and trustStore need to be of the same type? > > Does the trustStore type ("JKS/BKS/PKCS12") even matter when I am > setting > > the single certificate via setCertificateEntry("tomcat", certificate)? > > > > Until I set clientAuth in my Connector to true all went okay, I was able > to > > read form the SSL URL. (I.e. the trustStore/trustManagerFactory is > probably > > okay. > > > > I am in early stages of the project, hence I am working with "home-made > > certificates". > > (Also this is my 2nd week of Android development and 1st time dealing > with > > this key/trust/cert stuff.) > > > > On Thursday, August 23, 2012 at 1:21:40 PM UTC+2, Marco Serioli wrote: > >> > >> I'm developing an android application on v13 target sdk and I'm trying > to > >> secure connection from android device to my tomcat server v6 with SSL > >> enabling also clientAuth. I'm using self-signed certificates. > >> > >> Only for introduce my project (I think the error is not due to this): > I'm > >> using spring-android RestTemplate using a custom > ClientHttpRequestFactory. > >> Because of android sdk version I'm sure that spring will use > >> HttpUrlConnection and not HttpClient! So I'm extending > >> SimpleclientHttpRequestFactory and overriding the openConnectionMethod. > I > >> need to do this to trust my self-signed certificates and to use my > client > >> authentication certificate! > >> > >> So I init my sslContext and set to HttpURLConnection in this way: > >> > >> private SSLSocketFactory getSSLSocketFactory() throws > KeyStoreException, > >> KeyManagementException, NoSuchAlgorithmException, CertificateException, > >> IOException, UnrecoverableKeyException{ > >> final InputStream trustStoreLocation = > >> mContext.getResources().openRawResource(R.raw.trust_store); > >> final String trustStorePassword = "........"; > >> > >> final InputStream keyStoreLocation = > >> mContext.getResources().openRawResource(R.raw.key_store); > >> final String keyStorePassword = "........"; > >> > >> final KeyStore trustStore = KeyStore.getInstance("BKS"); > >> trustStore.load(trustStoreLocation, > trustStorePassword.toCharArray()); > >> > >> final KeyStore keyStore = KeyStore.getInstance("BKS"); > >> keyStore.load(keyStoreLocation, keyStorePassword.toCharArray()); > >> > >> final TrustManagerFactory tmf = > >> > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > >> tmf.init(trustStore); > >> > >> final KeyManagerFactory kmf = > >> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); > >> kmf.init(keyStore, keyStorePassword.toCharArray()); > >> > >> final SSLContext sslCtx = SSLContext.getInstance("TLS"); > >> sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new > >> SecureRandom()); > >> > >> return sslCtx.getSocketFactory(); > >> } > >> > >> @Override > >> protected HttpURLConnection openConnection(URL url, Proxy proxy) throws > >> IOException { > >> final HttpURLConnection httpUrlConnection = > super.openConnection(url, > >> proxy); > >> if (url.getProtocol().toLowerCase().equals("https")) { > >> try { > >> > >> > ((HttpsURLConnection)httpUrlConnection).setSSLSocketFactory(getSSLSocketFactory()); > > > >> > >> ((HttpsURLConnection)httpUrlConnection).setHostnameVerifier(new > >> NullHostnameVerifier()); > >> } catch (Exception e) { > >> if (LogConfig.ERROR_LOGS_ENABLED){ > >> Log.e(LOG_TAG, e.getMessage()); > >> } > >> > >> } > >> return httpUrlConnection; > >> } > >> > >> private static class NullHostnameVerifier implements HostnameVerifier { > >> public boolean verify(String hostname, SSLSession session) { > >> return true; > >> } > >> } > >> > >> When tomcat clientAuth is disabled it works fine. > >> > >> But when tomcat client authentication is enabled, trying to establish > >> connection from android device I got this exception: > >> > >> error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected > message > >> (external/openssl/ssl/s3_pkt.c:1232 0x19bf40:0x00000003); nested > exception > >> is javax.net.ssl.SSLProtocolException: SSL handshake terminated: > >> ssl=0x182c70: Failure in SSL library, usually a protocol error > >> > >> I've tryed to install the client certificate on my web browser for > testing > >> purpose and everything goes ok! So I think it's a problem of my android > >> application! > >> > >> Have you ever got this kind of exception? > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Android Security Discussions" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] > <javascript:>. > > To post to this group, send email to > > [email protected] <javascript:>. > > Visit this group at > http://groups.google.com/group/android-security-discuss. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
