1

I'm getting this on LogCat when httpsURLConnection.getInputStream() is called

SSL handshake failure: Failure in SSL library, usually a protocol error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (external/openssl/ssl/s3_pkt.c:1127 0x29eb40:0x00000003)

I have tested it on Andorid 2.3 and it works nicely.

My server requires client authentication! Maybe FROYO does not support this kind of handshake... I don't know...

I tried using httpclient as well. Fail in every case...

private void process() throws Exception {

    char[] pass = "clientpass".toCharArray();

    InputStream ksStream = getAssets().open("clientKeyStore.bks");
    KeyStore keyStore = KeyStore.getInstance("BKS");
    keyStore.load(ksStream, pass);
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(keyStore, pass);
    ksStream.close();

    X509TrustManager[] tm = new X509TrustManager[] { new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    } };

    SSLContext context = SSLContext.getInstance("TLS");
    context.init(kmf.getKeyManagers(), tm, null);
    HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
    HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
            return true;
        }
    });

    URL url = new URL("https://192.168.2.101:8443/RestTomcat/resources/veiculos/KKK1234");
    HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
    BufferedReader br = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
    StringBuilder sb = new StringBuilder();
    String line = null;
    while ((line = br.readLine()) != null)
        sb.append(line + "\n");
    br.close();

    Log.e("OUTPUT", sb.toString());
    httpsURLConnection.disconnect();
}
CelinHC
  • 1,857
  • 2
  • 27
  • 36
  • Is the failure in the Android Logcat or server log? And what line of code is it failing on exactly? – Reed Feb 15 '12 at 21:37
  • @Jakar Updated! I'm getting this on LogCat when httpsURLConnection.getInputStream() is called. – CelinHC Feb 16 '12 at 10:21
  • I think that there is a differance between the trusted CAs. Who signed that certificate? – rekire Feb 16 '12 at 10:23
  • @rekire All certificates are self-signed. – CelinHC Feb 16 '12 at 10:30
  • @CelinHC Did you ever find a solution for this one? I am banging my head trying to find the solution. My guess that 2.2 somehow doesn't send a complete Cert Chain, but can't get that confirmed anywhere. If you found the solution already, I would appreciate if you post your own answer and you'll get my vote. Thanks! – momo Mar 02 '12 at 06:44

2 Answers2

2

Make sure the date, time and timezone settings are correct on the 2.2 device.

Jeff Gilfelt
  • 26,131
  • 7
  • 48
  • 47
0

I am not sure if you have found the answer, but this seems to be a bug with Android 2.2 not having to analyze the full certificate chain. If you .p12 cert has multiple chain, Android 2.2 doesn't seem to follow the entire chain.

I had the same problem that I asked the question in this SO question. I asked our administrator to generate a new client certificate that is directly issued by Root CA without having the Sub CA and afterwards 2.2 will work. It does bring the question of security of having client certificate without Sub CA as intermediary though.

UPDATE: Android team confirm that this is an issue in 2.1/2.2. The details are in the following issue tracker

Community
  • 1
  • 1
momo
  • 21,233
  • 8
  • 39
  • 38
  • In my case i have a self-signed certificate... So am i lost? – CelinHC Mar 09 '12 at 12:36
  • there is other workaround by replacing the original Android Socket implementation with others which I ended up doing since at the end they still want a more secure Sub-CA to root CA chain. The steps are pretty involved but it works (so far). Let me know if you are interested trying it and I could put it up in the answer. I also posted a bug in Android which they confirm that this is an [issue in 2.1/2.2](http://code.google.com/p/android/issues/detail?id=26542) – momo Mar 09 '12 at 19:11