Android SSL HostName Was Not Verified

Question

I have a self signed server hardcoded port 52428. My client app keeps getting "Hostname Was Not Verified" even when I override the HostNameVerifier to always return true. When I changed the hostname from IP Address to DNS, another error pops up that says "Unable to resolve host: No Address associated with hostname"

Here's my code:

private class SSLConnect extends AsyncTask<Void, Void, String> {
    @Override
    protected String doInBackground(Void... values) {
        //String https_url = "https://www.google.com/";
        //String https_url = "https://192.168.0.106:52428/webserveradmin/preferences";
        String https_url = "https://home-pc:52428/webserveradmin/preferences/";
        String response;

        try {
            TrustManager[] tm = new TrustManager[]{
                new X509TrustManager() {
                    @Override
                    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

                    }

                    @Override
                    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

                    }

                    @Override
                    public X509Certificate[] getAcceptedIssuers() {
                        //return new X509Certificate[0];
                        return null;
                    }
                }
            };

            URL url;
            try {
                url = new URL(https_url);
            }
            catch (MalformedURLException e) {
                return "Error URL: " + e.getMessage();
            }

            HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
            try {
                conn.setDefaultHostnameVerifier(new NullHostNameVerifier());
                SSLContext sc = SSLContext.getInstance("SSL");
                sc.init(null, tm, new SecureRandom());
                conn.setSSLSocketFactory(sc.getSocketFactory());
                conn.setRequestMethod("GET");
                conn.setRequestProperty("Authorization", "Basic " + Base64.encode("sa:sa".getBytes(), Base64.DEFAULT));
                conn.connect();

                InputStream in = conn.getInputStream();
                BufferedReader r = new BufferedReader(new InputStreamReader(in));
                StringBuilder sb = new StringBuilder();
                String line;
                while ((line = r.readLine()) != null) {
                    sb.append(line);
                }
                response = sb.toString();

            } catch (GeneralSecurityException e) {
                return "Error Security: " + e.getMessage();
            }
        }
        catch(Exception e){
            return "Error SSL: " + e.getMessage();
        }
        return response;
    }

    @Override
    protected void onProgressUpdate(Void... values) {

    }

    @Override
    protected void onPostExecute(String result) {
        Toast.makeText(ctxt, result, Toast.LENGTH_LONG).show();
    }
}

public class NullHostNameVerifier implements HostnameVerifier{
    @Override
    public boolean verify(String hostname, SSLSession session) {
        return true;
    }
}

You understand that the request URL domain must match the common name of the certificate? — Simon, Dec 27 '14 at 20:50
@Simon Could you explain a little bit on that? Sorry I'm still very new in all these. — Casperonian, Dec 28 '14 at 01:36
Did you find an adequate solution to your question? I am facing a similar issue now — IgorGanapolsky, Jun 18 '18 at 19:21
See the solution by Steffen using Key Pinning. That solves the problem for me. — Casperonian, Aug 06 '18 at 09:02

score 2 · Accepted Answer · edited May 23 '17 at 11:50

2

The hostname verifier cares about verifying the hostname only, not the trust chain. But with self-signed certificates you don't have a trust chain leading to a locally trusted certificate.

Apart from that, just disabling the certificate checking is a very bad idea, because this way you will not only accept your self-signed certificate but instead any certificates and thus you will be open to man-in-the-middle attacks. See also SSL Vulnerability in ******** VU#582497. To do it correctly use instead certificate/public key pinning. For a more detailed explanation and also sample code see OWSAP.

edited May 23 '17 at 11:50

Community

1
1

answered Dec 27 '14 at 22:37

Steffen Ullrich

114,247
10
131
172

Hi Steffen, I have tried the code sample from OWSAP. I still got the same error: Unable to resolve host home-pc. No address associated with hostname. I think @Simon might have got something, do you understand what he is referring to? – Casperonian Dec 28 '14 at 01:38
1

"Unable to resolve host home-pc" just means that it can not find the IP address for this host name. This problem is not related to SSL at all but will happen with normal http connections too, because there is some configuration problem outside the application. Check if you can use the same name from other computers in the network without having it configured there specifically. Also check the full qualified DNS name (i.e. home-pc.local or whatever this is in your network). – Steffen Ullrich Dec 28 '14 at 08:14

Android SSL HostName Was Not Verified

1 Answers1

Linked