B4J Question [SOLVED] Webview: Load URL from Server with self signed certificate

inakigarm

Well-Known Member
Licensed User
Longtime User
Hi:

I've search the forum and found and coded the solution in this post:
https://www.b4x.com/android/forum/threads/webview-certificate-lets-encrypt.64832/#post-410628

This works fine if the SSL certificate is a valid SSL certificate but if it's self signed, there's an error on the certificate handshaking.

I've googled for the solution and it seems that solution require to configure local keystore:
http://www.smartjava.org/content/how-analyze-java-ssl-errors
https://www.codebyamir.com/blog/java-developers-guide-to-ssl-certificates
but for my needs, that's not possible (the webview is part an app and it's not possible to access-configure the local keystore of the user computer) and I've not found other solution.

Is there any inline code that allows to load an URL from a Server configured with an SSL self signed certificate ?

Thanks

(Attached the B4J code/see the differents logs if the Page comes from a Server with a valid SSL certificate or self signed
 

Attachments

  • Webview loadpage selfcertificate.zip
    3 KB · Views: 412

inakigarm

Well-Known Member
Licensed User
Longtime User
Ok. Was tricky (because there was some self-signed certificates around that works and some others not) but found the issue with the help of https://badssl.com and other info.

Desktop browsers accept (or ask for) Self signed certificates when the CN Certificate field (server hostname) is not set (or set incorrectly: check https://www.pcwebshop.co.uk, works on Desktop browsers but not in Java Webview)

JavaFX Webview doesn't accept bad self-signed certificates (almost with an incorrect CN -->checked only with an incorrect CN)

So, I've had to change my self-signed certificate to a one with a correct CN and now works (the B4J code remains unchanged)
Maybe is possible to instruct Java Webview to not test SSL CN validity by some inline java code but I mark this as Solved as changing to a correct self-signed certificate works for my purposes.
 
Upvote 0

mik1214324

Member
Licensed User
Hi:

I've search the forum and found and coded the solution in this post:
https://www.b4x.com/android/forum/threads/webview-certificate-lets-encrypt.64832/#post-410628

This works fine if the SSL certificate is a valid SSL certificate but if it's self signed, there's an error on the certificate handshaking.

I've googled for the solution and it seems that solution require to configure local keystore:
http://www.smartjava.org/content/how-analyze-java-ssl-errors
https://www.codebyamir.com/blog/java-developers-guide-to-ssl-certificates
but for my needs, that's not possible (the webview is part an app and it's not possible to access-configure the local keystore of the user computer) and I've not found other solution.

Is there any inline code that allows to load an URL from a Server configured with an SSL self signed certificate ?

Thanks

(Attached the B4J code/see the differents logs if the Page comes from a Server with a valid SSL certificate or self signed

For those who searched the solution for b4j, just add this:
(it took me about 5 hours non-stop web sniffing but the solution is easy and effective)

Sub AppStart (Form1 As Form, Args() As String)
Dim jo As JavaObject = Me
jo.RunMethod("disableSSLTest", Null)
'now you can open web-sites wich uses self-signed ssl
Web.LoadUrl("https://192.168.0.18")
End Sub

#if JAVA
import java.security.GeneralSecurityException;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

public static void disableSSLTest() {
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};

// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
}

HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};

// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
}
#end if
 
Upvote 0
Top