Cannot use a CA 1 certificate with HTTP 1.20

[Wilbur]

I'am converting an existing webservice from basic to android.

It is protected with a trusted CA 1 root certificate.
I can use the webservice, without the certificate, with no problems.
The code seems ok.
Some parts of the service need this certificate.
I can navigate with the browser to the serverdata and the certificate
is then recognized.
When I use the HTTP 1.20 library I get the message:

Error Connecting to the server
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

The certificate has a pfx extention. I have converted it with openssl to a p12
version without any succes.

I have placed the pfx certificate in the root of the sdcard and I can see
it as 2 certificates in the system properties.

I use a tablet with ics, somebody any suggestions ?

 

[Erel]

Have you tried to initialize HttpClient with InitializeAcceptAll? This will tell HttpClient to ignore unrecognized certifications.

 

[Wilbur]

Yes, I saw that option, but it makes no difference

I have used ExecuteCredentials too.
I succeed in importing the certificate in the Emulator.
That makes no difference, same result.

 

[Wilbur]

I found some information about this problem on the internet.

It seems that the certificatestore for Root Certificates for version 4 of android
has moved to a dynamic place.

In the older versions it was \system\etc\security\cacerts.bks
Now you first have to ask for the address of the store.

I think that this is the reason why HTTP120.dll cannot find the certificate.
If I navigate with the browser to the same location the certificate installer
pops up. The next time the location opens without checking.

If this is true, I think there is an update of the library needed.
Can we expect an update in that case, or a work around ?


Wilbur.

 

[Erel]

Can you post the link to the page you found this information?

 

[Wilbur]

This is some information about using certificates
with android 4 and the the difference between older versions.

In-App Mobile Certificates Made Easy with mCMS (Part 2) | Certified Security Solutions

Has anybody any experience with this problem ?

 

[Erel]

The KeyChain solution is currently not available. Note that it will only work with Android 4.0 or above.

Does your app work on previous versions?

 

[Wilbur]

Erel thanks for the fast response.

I have android 4.03 on a 10' tablet only.
The APP should run on version 4 tablets.

The windows version with the same HTTP connection runs fine.
The same APP, but without a certificate, runs fine on Android 4
(exactly the same code, only to a http server)
If I connect with the browser to https server the request for the
certificate pops up. I can supply the certificate and the next time
I can connect without the popup.

 

[Wilbur]

Running in the emulator with Android 2.2 (API level 8)

I got an error message and this is the log result:

at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeread(Native Method)


at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.access$300(OpenSSLSocketImpl.java:55)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.read(OpenSSLSocketImpl.java:542)


at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:103)
at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:191)


at org.apache.http.impl.conn.DefaultResponseParser.parseHead(DefaultResponseParser.java:82)
at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:174)
at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:179)
at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:235)


at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:259)


at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:279)
at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:410)


at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
at anywheresoftware.b4a.http.HttpClientWrapper$3.run(HttpClientWrapper.java:215)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
at java.util.concurrent.FutureTask.run(FutureTask.java:137)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561)


at java.lang.Thread.run(Thread.java:1096)
java.io.IOException: Read error: Failure in SSL library, usually a protocol error
-1
GC_EXPLICIT freed 156 objects / 11528 bytes in 687ms


GC_EXPLICIT freed 63 objects / 3072 bytes in 104ms


GC_EXPLICIT freed 736 objects / 40840 bytes in 240ms


No keyboard for id 0


Using default keymap: /system/usr/keychars/qwerty.kcm.bin


** Activity (main) Pause, UserClosed = true **


Maybe this helps.

 

[Wilbur]

Results for Emulator 4.0.3 (API level 15)

at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
at anywheresoftware.b4a.http.HttpClientWrapper$3.run(HttpClientWrapper.java:215)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:442)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
at java.util.concurrent.FutureTask.run(FutureTask.java:137)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
at java.lang.Thread.run(Thread.java:856)
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
-1
GC_CONCURRENT freed 373K, 6% free 9224K/9799K, paused 1ms+9ms

It seems to me that android is searching in the wrong place.

 

[Erel]

Can you post the error log from the device when you run it with InitializeAcceptAll?

 

[Wilbur]

Hello Erel.

Here is the part of the logfile with the error in it.
I added the parts of the code involved with the request.

The certificate is installed on the tablet by means of an
server access.

It shows in the store in the user part and is visible
as two certificates

1) Root CA
2) CA 1

The certificate is working wel, as I navigate to the sever the request pops up.
=====================================================

Sub Process_Globals
Dim HttpClient1 As HttpClient
End Sub

------------------------
Sub Activity_Create(FirstTime As Boolean)
HttpClient1.InitializeAcceptAll ("HttpClient1")
End Sub


------------------------------

body --> XML data see below in logfile
As I am not allowed to show names and passwords, I have replaced them with dummy data


request.InitializePost2(URL1, body.GetBytes("UTF8") )
request.SetHeader("Content-Type", "text/xml; charset=utf-8")
request.SetHeader("SOAPAction", Soapaction)
If HttpClient1.Execute(request, 1) = False Then Return


--------------------------------------------------------





openPcmOut_l() mPcmOpenCnt: 0
<?xml version='1.0' encoding='UTF-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-Instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema'><SOAP-ENV:Header><wsse:Security xmlns:wsse='http://schemas.xmlsoap.org/ws/2003/06/secext'><wsse:UsernameToken wsu:Id='user' xmlns:wsse='http://schemas.xmlsoap.org/ws/2003/06/secext' xmlns:wsu='http://schemas.xmlsoap.org/ws/2003/06/utility'><wsse:Username>xxxxxxxxxxxx</wsse:Username><wsseassword Type='wsseasswordText'>XXXXXXXX</wsseassword><wsu:Created>2012-08-13T20:17:19Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body><opvragenTechnischeGegevensTbvKeuringsinstantie xmlns='http://xxx.xxx.nl/RDC'><RDCNummer>000000</RDCNummer><KINummerMelding>XXXXXXX</KINummerMelding><Kenteken>XXXXXX</Kenteken><Meldcode>XXXX</Meldcode></opvragenTechnischeGegevensTbvKeuringsinstantie></SOAP-ENV:Body></SOAP-ENV:Envelope>
GC_CONCURRENT freed 560K, 9% free 6780K/7431K, paused 2ms+4ms
<?xml version='1.0' encoding='UTF-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-Instance' xmlns:xsd='http://www.w3.org/2001/XMLSchema'><SOAP-ENV:Header><wsse:Security xmlns:wsse='http://schemas.xmlsoap.org/ws/2003/06/secext'><wsse:UsernameToken wsu:Id='user' xmlns:wsse='http://schemas.xmlsoap.org/ws/2003/06/secext' xmlns:wsu='http://schemas.xmlsoap.org/ws/2003/06/utility'><wsse:Username>xxxxxxxxxxxx</wsse:Username><wsseassword Type='wsseasswordText'>XXXXXXXX</wsseassword><wsu:Created>2012-08-13T20:17:19Z</wsu:Created></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body><opvragenTechnischeGegevensTbvKeuringsinstantie xmlns='http://xxx.xxx.nl/RDC'><RDCNummer>000000</RDCNummer><KINummerMelding>XXXXXXX</KINummerMelding><Kenteken>XXXXXX</Kenteken><Meldcode>XXXX</Meldcode></opvragenTechnischeGegevensTbvKeuringsinstantie></SOAP-ENV:Body></SOAP-ENV:Envelope>
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
at anywheresoftware.b4a.http.HttpClientWrapper$3.run(HttpClientWrapper.java:215)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:442)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
at java.util.concurrent.FutureTask.run(FutureTask.java:137)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
at java.lang.Thread.run(Thread.java:856)
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
-1
alloc_buffer: Successfully allocated 0x22000 bytes, mIonFd=23, SharedFd=28
map_buffer: Successfully mapped 0x22000 bytes at address 0x64fe2000, SharedFd=69, map_count = 3
AudioHardware pcm playback is going to standby.
closePcmOut_l() mPcmOpenCnt: 1
unmap_buffer: Successfully unmapped 0x22000 bytes at address 0x64fe2000, SharedFd=69, map_count = 2
free_buffer: Freeing 0x22000 bytes, mIonFd=23 SharedFd=28
unmap_buffer: Successfully unmapped 0x22000 bytes at address 0x49864000, SharedFd=28, map_count = 5
*** set_screen_state 0

I hope you can find a solution for this persisting error.

 

[Wilbur]

Some questions.

Why is the delay between the first and second attemp to
send the body only 6 ms ( 2 + 4)
It looks to me that that time is much to short to expect a response from the server. In windows I use 300 msec.

In windows I can set the path to the certificate, like:
Req.SetClientCertificate ("CURRENT_USER\My\" & CertKVK)

In android there is no storename, what name can I use.
How can I find the path to the certificate store.
The name of the certificate is in the setup-view encoded, using this name
makes no difference.
The real name only shows once, during install (CN XXXXXX) of the certificate.

 

[Erel]

Is this web page external? I would like to run some tests.

 

[Wilbur]

I have send you a PM with information

 

[Erel]

I will check it and return to you.

 

[Gary Miyakawa]

I'm interested in this one too... Having to develop some REST capabilities...

I look forward to the solution!

Gary M

 

[Gary Miyakawa]

Was there any success on this subject ?

Thanks,

Gary M

 

[Erel]

There wasn't success. However your case is probably different. Which issue did you encounter?

 

[Wilbur]

Dear Erel

Looking at the last update v. 2.70
There is an update for HttpUtils2.
In a posting on the forum the from
moster67, I read this.

"Finally I had a chance to test "Http.InitializeAccept" for not trusted certificates and it works just perfect."

This option is not in version 2.02.
Do you think it solve the problem with the CA 1 certificates.
Or solve version 2.70 this problem.

To be sure that the problem was not in my code, the server I connect to, turned the
certificate check off for a moment, then my post to the server was handled in the
expected way.

I like your B4A software, but the only reason I bought it was
a project with certificates.
I don't need software I cannot use, so before I buy I new version of
your software I want to be sure the problem is solved.