-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate pinning is not working on android 2.3.X #2
Comments
Yes, support from 2.2.x is intended. I've checked the issue, the example stopped working on 4.4.x as well (didn't get the chance to test on other versions yet). The problem is that the certificate on https://api.github.com expired and was replaced with a new one. This is the stack trace you get when trying to connect to a server that has a certificate different than the one pinned. I've fixed the issue by generating the new keystore (check out pull request #4) Could you please confirm it's working on 2.3.x? |
Sorry, it's not working on either a physical samsung i9000 with android 2.3.3, nor on an emulated samsung galaxy s2 with android 2.3.7. After these tests I tried your development branch, but that's not working either. The exception from retrofit is a bit different then, but the cause is the same I guess. Somehow the keystore is not read properly. For testing I used the VM's from Genymotion
|
Ok, thanks for the info. I'll investigate the issue and let you know when I have more info why could this be happening. |
I think I've figured it out. The certificates from the certificate chain must be imported in proper order for things to work on 2.3.x. Check #5 for more details. Long story short, certificates must be imported from the bottom of the chain up, and every one under different alias in the keystore. Root certificate should have "ca" alias. Keystore in master has been updated with the last pull request. I've tested on Samsung GT-S5600 and it worked. Let me know if it works for you now. It seems that things work on 4.x.x regardless of the order in which certificates are stored in the keystore (additionaly, they can all be imported under the same alias at once). This is what I've concluded from my tests. |
Unfortunately still no success. It succeeds more then it fails now, but it still fails from time to time, about 1 out of 4 requests (both on the physical device as on the emulator). I also tried the OKHttpClient, and that perhaps gives a hint in what's going wrong. Perhaps the certificate chain is not returned in the proper order from time to time.
|
Never mind that... That it worked was because I didn't have any certificate pinning. It needs some more rework.
|
Figured out why the CustomTrustManager worked. It didn't do anything with the certificates in the key store, so no certificate pinning was happening at all, so no problem. The problem I'm encountering also doesn't seem to be related to the order in which the certificate chain is send by the server. It's something weird within the android specific version of the BouncyCastle library. If you try it a few times in a row, it will succeed in the end. But I don't like such magic, so what I'm doing now is:
With 3, you only need to provide the certificate at the level you want to verify (verification of the server certificate itself is generally a bad idea, since those certificates expire pretty quickly). See: delgurth@a8f9642 Not sure if you want to pull all that, since the fix is only in the retrofit client and not in the apache one. Other changes:
|
Sorry, didn't get the chance to reply earlier. Will check it. You can make a pull request. If the retrofit OkHttp client is working I'll pull and update the readme with a disclaimer that Apache client doesn't work properly on 2.3.x. It is actually recommended to use HttpUrlConnection / HttpsUrlConnection on Android > 2.2: I just wasn't aware that Apache had such serious bugs on higher Android versions. OkHttp Client is based on HttpUrlConnection if I recall right, so it is the right choice for 2.3.x and above. |
Merged your changes to master, and updated the readme file with a note that pinning Apache client won't work on Android 2.3.x. Checked the OkHttpClient on 2.3.7 Genymotion image and it is working as you described. Feel free to check if I've missed something. |
I am using this library with Retrofit-1.7.1. But I am getting the following exception. This doesn't seem to because of hello-pinnedcert library, but can you help me what I might be doing wrong? The app is for Android API >14
|
@opnchaudhary First of all, it's bad practice to comment on an issue with a question that's unrelated to the issue being addressed, certainly a closed one. None the less I'll try to help you. But since you do not provide details about the host that you are experiencing problems with it's hard to help you. It might be that the URL you try to connect with has SSL support disabled. Otherwise it's probably using a SSL dialect that your client does not support. |
Sorry for the bad practice. Anyways the problem is fixed. It was because of SSLv3 enabled in the server along with other versions. Disabled v3 and its working fine. Thank you. |
I'm trying to get this certificate pinning library to work on android 2.3.X but I'm running into an Exception:
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
The gradle file seems to suggest you intent to support android 2.2.X, that's why I'm raising this issue.
Do you have a clue what's wrong?
The exception and some debug output from the Retrofit client:
The text was updated successfully, but these errors were encountered: