accepting self-signed certificates

[Frangiskos Sigalas]

Hello,

The class HttpsServiceConnectionsSE could be extended with one additional method, setSSLSocketFactory(SSLSocketFactory factory), that would allow a user to set the SSLSocketFactory for the HttpsURLConnection connection member.

In this way, one can create custom implementations of SSLSocketFactory and thus be able to accept self-signed certificates.

Do you think this has some value?

Best regards,

Frangiskos Sigalas

[Manfred Moser]

Sure... just send a pull request and I will look at it and we can
discuss details there.

[Frangiskos Sigalas]

I sent you a pull request in github.

[Manfred Moser]

Merged..

[Manfred Moser]

Cousdgjld you write up a small example that we can put on the wiki...

[Frangiskos Sigalas]

This class is a simple example of how the SSLSocketFactory can be set in order to allow self-signed certificates read from a KeyStore.

public class ConnectionWithSelfSignedCertificate {

private KeyStore keyStore;

public ConnectionWithSelfSignedCertificate(KeyStore keyStore) {

this.keyStore = keyStore;

}

public void dummy(String host, int port, String file, int timeout) throws Exception {

SoapObject client = new SoapObject("", "dummy");

SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(SoapEnvelope.VER11);

envelope.bodyOut = client;

HttpsTransportSE transport = new HttpsTransportSE(host, port, file, timeout);

((HttpsServiceConnectionSE) transport.getConnection()).setSSLSocketFactory(getSSLSocketFactory());

transport.call("", envelope);

}

private SSLSocketFactory getSSLSocketFactory() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(keyStore);

SSLContext context = SSLContext.getInstance("SSL");

context.init(null, tmf.getTrustManagers(), null);

return context.getSocketFactory();

}

}

I totally agree with your comment on the pull request that there should be a getter for connections.

Another constructor in HttpsTransportSE and HttpsServiceConnectionSE with an additional Proxy argument may also prove useful.

[Manfred Moser]

I added this to the wiki and in terms of the setter and constructor
feel free to create an issue and a pull request with the
implementation.

manfred

[Dhananjaya Premaratna]

When I use this code the line : ((HttpsServiceConnectionSE) transport.getConnection()).setSSLSocketFactory(getSSLSocketFactory()); throws a null pointer exception

If I comment out this line then it will throw an ssl certficate error which is obvious. I have made the BKS and it is in my android project and all that is done properly. However the above line gives null pointer exception

Code....

HttpsTransportSE httpsTransportSE = new HttpsTransportSE("192.0.0.222",443,"/axis2/services/servicename?wsdl",5000);

((HttpsServiceConnectionSE) httpsTransportSE.getConnection()).setSSLSocketFactory(getSSLSocketFactory(keyStore)); // null pointer throws here

httpsTransportSE.call(SOAP_ACTION, envelope);

and...

        private SSLSocketFactory getSSLSocketFactory(KeyStore keyStore) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

        tmf.init(keyStore);

        SSLContext context = SSLContext.getInstance("TLS");

        context.init(null, tmf.getTrustManagers(), null);

        return context.getSocketFactory();

        

}

That is my code

[Manfred Moser]

You are requesting the wsdl instead of the actual service. Thats is wrong..

[rui luis]

I am having the same error..

public ServerManager(Context context){
InputStream in = null;
try {
keyStore = KeyStore.getInstance("BKS");
in = context.getResources().openRawResource(R.raw.mystore);

keyStore.load(in, "mypassword".toCharArray());

}catch(Exception e){
System.out.println("Error loading keystore1:"+e.toString());
}finally {
if(in!=null){
try {
in.close();
} catch (IOException e) {
System.out.println("Error loading keystore2:"+e.toString());

}
}
}

}

private SSLSocketFactory getSSLSocketFactory() throws
KeyStoreException,
NoSuchAlgorithmException, KeyManagementException {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("SSL");
context.init(null, tmf.getTrustManagers(), null);

SSLSocketFactory aa = context.getSocketFactory();
return aa;

}

HttpsTransportSE androidHttpTransport = new HttpsTransportSE(SERVER,
8888, "/axis2/services/service1", 15000);


((HttpsServiceConnectionSE)androidHttpTransport.getConnection()).setSSLSocketFactory(getSSLSocketFactory());

androidHttpTransport.call(SOAP_ACTION_UPDATEPV, envelope);

it gives null pointer exeption

> >>> On Apr 10, 2012 10:20 AM, "Manfred Moser" <mosa...@gmail.com> wrote:
>
> >>>> Merged..
>

> >>>> On Apr 10, 2012 2:01 AM, "Frangiskos Sigalas" <frasi...@gmail.com>

[Manfred Moser]

Can you debug into the library and see what is wrong and maybe send a
pull request with a fix? Or post a sample project on github or so that
I can just test with?

manfred

[rui luis]

Sorry for the delay..
starting to deal with this..

the null pointer is from the fact that
((HttpsServiceConnectionSE)androidHttpTransport.getConnection())
is returning null.. dont know why.. going to investigate

[rui luis]

I went to see the code
https://code.google.com/p/bing-translator/source/browse/trunk/src/org/ksoap2/transport/HttpsTransportSE.java

public ServiceConnection getConnection() {
return (HttpsServiceConnectionSE) conn;
}

this returns the conn however the conn is only created at
protected ServiceConnection getServiceConnection() throws IOException
{
conn = new HttpsServiceConnectionSE(host, port, file,
timeout);
return conn;
}

that is only called when i do in my code

androidHttpTransport.call(SOAP_ACTION_UPDATEPV, envelope);

therefore
((HttpsServiceConnectionSE)androidHttpTransport.getConnection())

will always return null..

[Manfred Moser]

Feel free to provide a patch that fixes that problem..

[Mario]

Hello,

I am experiencing the same problem. Is there a way to fix it? 

HttpsTransportSE transport = new HttpsTransportSE(SERVER, 8543, "/MyService/myservice", timeout);

((HttpsServiceConnectionSE) transport.getConnection()).setSSLSocketFactory(getSSLSocketFactory());

[Mario]

I solved it.

[Manfred Moser]

Care to share with the rest ouf the people on the list how you did it ;-)

[Jack]

Same problem with the otherss..
the line ((HttpsServiceConnectionSE) transport.getConnection()).setSSLSocketFactory(getSSLSocketFactory()); returns null as well.
Am pretty sure the certificate is working well because tested with a normal HttpsURLConnection and it returns 200.
Would be helpful if any fixes on it.

[Steve Chock]

Had the same problem. Got a newer version of the ksoap2 library. The getConnection() method has been replaced with the getServiceConnection() method which now returns the expected object. Unfortunately, the latest version, 3.0, seems to have a new problem. The ServiceConnection object that it returns is always a new object. My workaround was to replace HttpsServiceConnectionSE with the version just prior. Don't know if this would cause other problems, but it was the only way I could get my version of the SSLSocketFactory into the object.

[Manfred Moser]

I am hoping somebody experiencing the problems can supply a fix. I can
then cut a 3.0.1 release.

manfred

> --
> You received this message because you are subscribed to the Google Groups
> "ksoap2-android" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ksoap2-androi...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Anatoliy Shuba]

Steve,

Could you please point me to commit ID with changes you had mentioned?
Is this 352ba889d79b61 ?

понедельник, 22 октября 2012 г., 7:11:14 UTC+3 пользователь Jack написал:

[Fulvio Cusimano]

Hi. I have always the same Exception been thrown: "Trust anchor for certification path not found" even though I created keystore on /res/raw folder and  set SocketFactory using BKS in private method getSSLSocketFactory()

         // Load the self-signed server certificate

   private SSLSocketFactory getSSLSocketFactory() throws Exception  {

               TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

              

                 char[] passphrase = "ssltestcert".toCharArray();

                 KeyStore ksTrust = KeyStore.getInstance("BKS");

ksTrust.load(mContext.getResources().openRawResource(R.raw.ssltestcert), passphrase);

tmf.init(ksTrust);

 

// Create a SSLContext with the certificate             

                 SSLContext sslContext = SSLContext.getInstance("TLS");

                 sslContext.init(null, tmf.getTrustManagers(), null);          

              return sslContext.getSocketFactory();

       }

invoked by this code snippet: 

HttpsTransportSE androidHttpTransport = new HttpsTransportSE( "HOST", 443 , "REALTIVE_PATH", 10000);

 HttpsServiceConnectionSE sc =  (HttpsServiceConnectionSE) androidHttpTransport.getServiceConnection();

   sc.setSSLSocketFactory(getSSLSocketFactory());

  androidHttpTransport.debug = true;

  androidHttpTransport.call(sds[0].SOAP_ACTION, envelope);

The certificate is ok since i tried to connect to my webservice from another site providing authentication parameters wrapped in soapheader (according to my webservice implementation an all went smoothly...)

Unfortunately a cannot succeed in make it work and i got really frustrated!!

Any help would be really appreshiated

Thanks 

Fulvio

[Steve Chock]

Yes, that commit removed the serviceConnection field, so I used 71b235f4f344269af9d4d00331e77cae995cdbf2 to get it back.

[d...@nandgate.com]

Only kind-of on-topic, but I had to get through this same problem, and resolved it outside of kSOAP, simply because that's cleaner. Blog about it (with source) is here: http://donmacvittie.ulitzer.com/node/2596103 and provides info for people new to the topic.

The use case I had was 100% kSOAP, in my case to allow connections to servers that were self-signed because they were in test, but not knowing what the server info would be ahead of time. It works in my project very well, and kept kSOAP out of the SSL cert verification mess ;-).

Don't know if that's any help at all. but hope it is.

Don.

[Manfred Moser]

Thanks for that blog post. I added it to the links wiki page

--

[marco.b...@gmail.com]

Undoubtedly an excellent job. I used in my app and it worked fine to connect servers. 

But still can not solve the problem of the client certificate.

I informed the parameter keyManager in sc.init, but the test I did on https page that requires client authentication did not work.

The error message I get is: java.io.FileNotFoundException: https://www.sefaz.rs.gov.br/SSL_Client/NFE-CER-CON.aspx

The responseCode is 403 (Forbidden).

My question is: someone has gained access to an https page that requires client certificate?

Can you please tell me a page that I can use for testing?

Thanks.

mbarbiero

[Don MacVittie]

Hi marco,

Yes, client certs were beyond the scope of my project so I didn't tackle that topic. Let me ask some of my security friends if they have a solution that isn't terribly complex, and I'll circle back this weekend either way.

Don.

--
You received this message because you are subscribed to a topic in the Google Groups "ksoap2-android" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ksoap2-android/Ae5mLYZkq3E/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ksoap2-androi...@googlegroups.com.

[mbarbiero]

Hi Don

I tested your solution in others server and it worked fine. I think that the error was in this specific server.

In resume: Simply inform the KeyManager parameter in the sc.init method and use a certificate with the complete trusted chain.

Thanks Don, Manfred and members.

mbarbiero

[Sebastian Rösch]

I tried Dons solution and it is working (thanks for your blog post!).

However, I like the idea of creating my own SSLSocketFactory based on a own keystore, to be able to verify the certificate instead of manually accepting and denying unknown certificates. 

It turns out, that this is not working, when you try to use the setSSLSocketFactory method mentioned above. What is working though, is to use the created factory as dafault factory (for all https connections of the app), by using HttpsURLConnection.setDefaultSSLSocketFactory(mySSLSocketFactory);

I will stick to this solution (since I don't have any additional https connections in my app) and hope to see ksoaps setSSLSocketFactory fixed some day :)

Thanks to all people discussing the issue!

Sebastian

[Android_development4]

getting error "org.ksoap2.transport.HttpResponseException: HTTP request failed, HTTP status: 404"

[Android_development4]

my url: https://Host:443/WS/EntityServiceCompact.svc

[Don]

Have you tried the URI in a browser? 404 is "not found", unlikely to have anything to do with SSL, though depending upon how processing goes, it could happen.

Don.

Sent from my phone, meaning I blame autocorrect for all spelling/grammar errors.

--
You received this message because you are subscribed to a topic in the Google Groups "ksoap2-android" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/ksoap2-android/Ae5mLYZkq3E/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ksoap2-androi...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Don MacVittie]

Hi again.

With just this URL I cannot tell much... But don't think you should post much more publicly.
If you have non-Android clients hitting this URL, and it working, then it is likely in Android.

That leaves a lot though. Can you hit other pages on the same webserver, for example? 404 (generally) means it can talk to the server but not find the URL. If there is an authentication error, it SHOULD be returning 405, though lots of SOAP returns 404, for whatever reason. A plain-text page on the server, for example, can you get that to open in a browser? From your code?

If you can, do you have access to the logs/source from the server side? Can you see if the application even getting a connection? Sometimes an app will return 404 if it has insufficient information to render the page - even though they shouldn't, since the URI was "found", just needs more data.

The other question - if you set a breakpoint on the two spots my blog suggested you write code, does either break point get triggered during connection to that URI?

Just trying to track down where the error might be occurring, apologies if this seems slow and pedantic.

Regards,
Don.

--
You received this message because you are subscribed to a topic in the Google Groups "ksoap2-android" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/ksoap2-android/Ae5mLYZkq3E/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ksoap2-androi...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[android.development4]

Thanks there was problem with server :-) code working fine

[Don MacVittie]

Excellent. Hope your project goes well!
Don.