using a Self Signed SSL on Android Client

patrickl

When trying to connect to our client's LS server, we receive the error described in this android dev document:
http://developer.android.com/training/articles/security-ssl.html#CommonProblems

We are attempting to solve it using their proposed solution- registering the cert in the applications custom TrustManager.
This example is also from the dev doc referenced above:

// Load CAs from an InputStream[COLOR=#000000]
[/COLOR]// (could be from a resource or ByteArrayInputStream or ...)[COLOR=#000000]
 [/COLOR][COLOR=#660066]CertificateFactory[/COLOR][COLOR=#000000]cf[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]CertificateFactory[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getInstance[/COLOR][COLOR=#666600]([/COLOR][COLOR=#880000]"X.509"[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
[/COLOR][COLOR=#000000]
 [/COLOR][COLOR=#660066]InputStream[/COLOR][COLOR=#000000]caInput[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#000088]new[/COLOR][COLOR=#660066]BufferedInputStream[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000088]new[/COLOR][COLOR=#660066]FileInputStream[/COLOR][COLOR=#666600]([/COLOR][COLOR=#880000]"local.cer"[/COLOR][COLOR=#666600]));[/COLOR][COLOR=#000000]
 [/COLOR][COLOR=#660066]Certificate[/COLOR][COLOR=#000000]ca[/COLOR] [COLOR=#666600];[/COLOR][COLOR=#000000]
[/COLOR][COLOR=#000088]try[/COLOR][COLOR=#666600]{[/COLOR][COLOR=#000000]
    ca  [/COLOR][COLOR=#666600]=[/COLOR][COLOR=#000000]cf[/COLOR] [COLOR=#666600].[/COLOR][COLOR=#000000]generateCertificate[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000000]caInput[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
     [/COLOR][COLOR=#660066]System[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000088]out[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]println[/COLOR][COLOR=#666600]([/COLOR][COLOR=#880000]"ca="[/COLOR][COLOR=#666600]+[/COLOR][COLOR=#666600](([/COLOR][COLOR=#000000]X509Certificate[/COLOR][COLOR=#666600])[/COLOR][COLOR=#000000]ca[/COLOR] [COLOR=#666600]).[/COLOR][COLOR=#000000]getSubjectDN[/COLOR][COLOR=#666600]());[/COLOR][COLOR=#000000]
[/COLOR][COLOR=#666600]}[/COLOR][COLOR=#000088]finally[/COLOR][COLOR=#666600]{[/COLOR][COLOR=#000000]
    caInput[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]close[/COLOR][COLOR=#666600]();[/COLOR][COLOR=#000000]
[/COLOR][COLOR=#666600]}[/COLOR][COLOR=#000000]

[/COLOR]// Create a KeyStore containing our trusted CAs[COLOR=#000000]
 [/COLOR][COLOR=#660066]String[/COLOR][COLOR=#000000]keyStoreType[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]KeyStore[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getDefaultType[/COLOR][COLOR=#666600]();[/COLOR][COLOR=#000000]
 [/COLOR][COLOR=#660066]KeyStore[/COLOR][COLOR=#000000]keyStore[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]KeyStore[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getInstance[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000000]keyStoreType[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
keyStore[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]load[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000088]null[/COLOR][COLOR=#666600],[/COLOR][COLOR=#000088]null[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
keyStore [/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]setCertificateEntry[/COLOR][COLOR=#666600]([/COLOR][COLOR=#880000]"ca"[/COLOR][COLOR=#666600],[/COLOR][COLOR=#000000]ca[/COLOR] [COLOR=#666600]);[/COLOR][COLOR=#000000]

[/COLOR]// Create a TrustManager that trusts the CAs in our KeyStore[COLOR=#000000]
 [/COLOR][COLOR=#660066]String[/COLOR][COLOR=#000000]tmfAlgorithm[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]TrustManagerFactory[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getDefaultAlgorithm[/COLOR][COLOR=#666600]();[/COLOR][COLOR=#000000]
 [/COLOR][COLOR=#660066]TrustManagerFactory[/COLOR][COLOR=#000000]tmf[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]TrustManagerFactory[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getInstance[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000000]tmfAlgorithm[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
tmf[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]init[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000000]keyStore[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]

[/COLOR]// Create an SSLContext that uses our TrustManager[COLOR=#000000]
 [/COLOR][COLOR=#660066]SSLContext[/COLOR][COLOR=#000000]context[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#660066]SSLContext[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getInstance[/COLOR][COLOR=#666600]([/COLOR][COLOR=#880000]"TLS"[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
context [/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]init[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000088]null[/COLOR][COLOR=#666600],[/COLOR][COLOR=#000000]tmf[/COLOR] [COLOR=#666600].[/COLOR][COLOR=#000000]getTrustManagers[/COLOR][COLOR=#666600](),[/COLOR][COLOR=#000088]null[/COLOR][COLOR=#666600]);
[/COLOR]

Uaually the SSLContext is provided to a UriConnection...

// Tell the URLConnection to use a SocketFactory from our SSLContext[COLOR=#000000]
URL url  [/COLOR][COLOR=#666600]=[/COLOR][COLOR=#000088]new[/COLOR][COLOR=#000000]URL[/COLOR] [COLOR=#666600]([/COLOR][COLOR=#880000]"https://certs.cac.washington.edu/CAtest/"[/COLOR][COLOR=#666600]);[/COLOR][COLOR=#000000]
 [/COLOR][COLOR=#660066]HttpsURLConnection[/COLOR][COLOR=#000000]urlConnection[/COLOR] [COLOR=#666600]=[/COLOR][COLOR=#000000]
    [/COLOR][COLOR=#666600]([/COLOR][COLOR=#660066]HttpsURLConnection[/COLOR][COLOR=#666600])[/COLOR][COLOR=#000000]url[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]openConnection[/COLOR][COLOR=#666600]();[/COLOR][COLOR=#000000]
urlConnection[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]setSSLSocketFactory[/COLOR][COLOR=#666600]([/COLOR][COLOR=#000000]context[/COLOR][COLOR=#666600].[/COLOR][COLOR=#000000]getSocketFactory[/COLOR][COLOR=#666600]());[/COLOR]

How do we get android's LSClient to use this SSLContext which is aware of our self signed cert? Or, is there a way to get our application to use some sort of globally provided HttpsURLConnection?

Giuseppe Corti

Hi Patrick,

Have you tried to change the default factory for ordinary sockets before calling the openConnection() method of Lightstreamer library?

Socket.setSocketImplFactory(context.getSocketFactory());

patrickl

This looks close to what I need, but context.getSocketFactory() is an instance of javax.net.ssl.SSLSocketFactory, and Socket.setSocketImplFactory() expects a java.net.SocketImplFactory. I cannot cast them.

Any idea what I am missing?

Giuseppe Corti

Ok sorry, please can you try something like this:

HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

patrickl

That's what I'm looking for. Thank you for the assistance.