HTTPS GET (SSL) with Android and self-signed server certificate

by

As you correctly point out, there are two issues: a) the certificate isn’t trusted, and b) the name on the certificate doesn’t match the hostname.

WARNING: for anybody else arriving at this answer, this is a dirty, horrible hack and you must not use it for anything that matters. SSL/TLS without authentication is worse than no encryption at all – reading and modifying your “encrypted” data is trivial for an attacker and you wouldn’t even know it was happening.

Still with me? I feared so…

a) is solved by creating a custom SSLContext whose TrustManager accepts anything:

SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] {
  new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain, String authType) {}
    public void checkServerTrusted(X509Certificate[] chain, String authType) {}
    public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[]{}; }
  }
}, null);
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

and b) by creating a HostnameVerifier which allows the connection to proceed even though the cert doesn’t match the hostname:

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
  public boolean verify(String hostname, SSLSession session) {
    return true;
  }
});

Both must happen right at the beginning of your code, before you start messing around with HttpsURLConnections and so on. This works both in Android and the regular JRE. Enjoy.

More Related Contents:

  1. Https Connection Android
  2. How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
  3. Using client/server certificates for two way authentication SSL socket on Android
  4. java – ignore expired ssl certificate
  5. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
  6. Disable SSL certificate check in retrofit library
  7. How to do an HTTPS POST from Android?
  8. Enabling specific SSL protocols with Android WebViewClient
  9. How to override the cipherlist sent to the server by Android when using HttpsURLConnection?
  10. OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
  11. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  12. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error
  13. How Can I Access an SSL Connection Through Android?
  14. Been staring at my code for an hour and still can't see the issue. Android – Java development [closed]
  15. Setting Singleton property value in Firebase Listener
  16. Difference between JSONObject and JSONArray
  17. How to add a TextView to LinearLayout in Android
  18. Android: checkbox listener
  19. This app is not authorized to use Firebase Authentication.Please verify that the correct package name and SHA-1 are configured in the Firebase Console
  20. Android Data Binding using include tag
  21. Full screen videoview without stretching the video
  22. Error launching Android Studio: Failed to create JVM: error code-6
  23. Fatal Error: Invalid Layout of java.lang.String at value
  24. Android Retrofit Design Patterns
  25. Android HTML.fromHTML() with images?
  26. How to change fragments using Android navigation drawer
  27. AAPT: error: resource android:attr/fontVariationSettings not found and resource android:attr/ttcIndex not found
  28. android admob resize on landscape
  29. How to check if class exists somewhere in package?
  30. Using the camera activity in Android

Leave a Comment