28

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided to go with OkHttp as a replacement, and so far I like that very much.

However, I haven't found any other way to handle client certificate auth without using SSLSocketFactory, with OkHttp or anything else for that matter. So what would be the best course of action in this particular case? Is there another way with OkHttp to handle this sort of authentication?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
TheYann
  • 1,367
  • 2
  • 12
  • 13
  • 4
    `SSLSocketFactory` is not deprecated, either in the [current shipping versions of Android](http://developer.android.com/reference/javax/net/ssl/SSLSocketFactory.html) or in the M Developer Preview. – CommonsWare Jun 23 '15 at 12:04
  • 1
    Oh my god you are absolutely right, I never realised there were 2 classes SSLSocketFactory! org.apache.http.conn.ssl.SSLSocketFactory is deprecated but javax.net.ssl.SSLSocketFactory is not! Thanks a lot for this enlightenment. – TheYann Jun 23 '15 at 12:36
  • 1
    Conversely, I had not realized that HttpClient had their own `SSLSocketFactory` class. :-) – CommonsWare Jun 23 '15 at 12:47

2 Answers2

54

if you are using https, you have to use a valid certificate. During your dev stage you have to trust the certificate, how? sslSocketFactory(SSLSocketFactory sslSocketFactory) is deprecated and it's replaced by sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager), you have to update your gradle file the piece of code below will help you to get a trusted OkHttpClient that trusts any ssl certificate.

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
    throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, new TrustManager[] { trustManager }, null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(sslSocketFactory, trustManager);
user2167877
  • 1,676
  • 1
  • 14
  • 15
19

Apparently, there are two SSLSocketFactory classes. HttpClient has its own one, and that is deprecated along with the rest of HttpClient. However, everybody else will be using the more conventional javax.net.ssl edition of SSLSocketFactory, which is not deprecated (thank $DEITY).

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491