0

a colleague had a problem with the connection to an SSL Server using his own developed application. I configured my Tomcat machine with a self-signed certificate (.pem) and a connection via browser works fine. Hi tried to add mine certificate to his "application resources" but doesn't works. Can anyone helps me and my colleague? Do I modify any setting on my server.xml or web.xml? Thanks.

observer
  • 725
  • 4
  • 10
  • 20

1 Answers1

2

The Android application needs to be slightly modified in order to accept self-signed certificates. You have two options at this point, either:

  1. Trust all SSL connections (within the Android app)
  2. Create your own TrustManager which also includes the specific server certificate (along with the defaults, if necessary). Here's one example.
Community
  • 1
  • 1
Marvin Pinto
  • 30,138
  • 7
  • 37
  • 54
  • or 3. Trust your specific server certificate and also any others in the default Trust Manager. It takes a bit more glue, but not much so – jglouie Feb 29 '12 at 17:07
  • @jglouie To add the specific server certificate to the _default_ `TrustManager`, wouldn't that need to be done outside the context of an App (as in done by the end user)? I'm not entirely sure how that works which is why I ask. – Marvin Pinto Feb 29 '12 at 17:09
  • I meant create a custom TrustManager that internally uses the DefaultTrustManager. When overriding the trust methods, check if it matches the server certificate. If it does not, check if the internal copy of the DefaultTrustManager trusts it – jglouie Feb 29 '12 at 17:25
  • @jglouie Wouldn't my second point pretty much cover that? Again, I ask only to clarify if I missed something so I can edit my answer appropriately, etc. Granted I didn't go into too much details because the OP mentioned that his/her colleague built the Android app (as opposed to him/herself) and I wanted to keep it on point as much as possible :) – Marvin Pinto Feb 29 '12 at 17:29
  • I guess it's how I read the second point. I read it as one and only one ("and only trust the specific server certificate") will ever be trusted. Guess it matters if the app wants to use the system known trust certs or not. I've seen both approaches – jglouie Feb 29 '12 at 17:39
  • @jglouie Good point. My intention with the second point was _also_ trust the specific server cert (not _only_). I'll update my answer :) – Marvin Pinto Feb 29 '12 at 17:41