I can bypass the SSL errors when accessing a https URL which has untrusted certificate with following code with the WebView below version KitKat
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
}
but it does not work for KitKat browser. Any ideas to solve it?
I recently came up to this problem too, this is not documented but it seems that calling method onReceivedSslError on Android 4.4 KitKat depends on the type of SSL error. I checked these two cases:
If the SSL error is due to a self signed server certificate, it does invoke onReceivedSslError method in Android KitKat 4.4, as it did in older versions.
However, if the SSL error cause is a bad certificate chain (LogCat showing the message: "Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.", then onReceivedSslError is not called in KitKat, as it was called in older Android versions, and thus the error cannot be ignored or bypassed in 4.4. This was my case, and I do not know whether this is a bug or done on purpose to prevent MITM attacks, but I did not find a programmatic way to work around this.
The underlying problem for me was that the web server did not expose the full certificate chain but only the last certificate, leaving to the device the responsibility to validate the full chain, provided it has all the certificates stored in the device cert store, which was not the case for Android devices. You could make sure if this was also your problem either by:
a) Checking the certificate chain with an online certificate checker, such as: http://www.digicert.com/help/
b) Using openssl to verify the received certificate chain: openssl s_client -showcerts -connect :443 You can there see the certificate chain, which should contain two or more certificates, and if the result ends with something like: Verify return code: 21 (unable to verify the first certificate), you are likely to have a similar problem as I had.
The solution was to fix the web server configuration so the server exposes the full certificate chain to the hosts.
Your app might behave differently when running on Android 4.4, especially when you update your app's targetSdkVersion to "19" or higher.
The code underlying the WebView class and related APIs has been upgraded to be based on a modern snapshot of the Chromium source code.
This brings a variety of improvements for performance, support for new HTML5 features, and support for remote debugging of your WebView content. The scope of this upgrade means that if your app uses WebView, it's behavior may be impacted in some cases. Although known behavior changes are documented and mostly affect your app only when you update your app's targetSdkVersion to "19" or higher—the new WebView operates in "quirks mode" to provide some legacy functionality in apps that target API level 18 and lower—it's possible that your app depends on unknown behaviors from the previous version of WebView.
So if your existing app uses WebView, it's important that you test on Android 4.4 as soon as possible and consult Migrating to WebView in Android 4.4 for information about how your app might be affected when you update your targetSdkVersion to "19" or higher.
Have you tried something like this?
mWebView.setWebViewClient(new WebViewClient()
{
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed(); // Ignore SSL certificate errors
}
});
