Android: SSL javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

[Anna]

I got the exception: 

04-04 09:44:06.708  27762-27905/ideal.fill.in E/Database﹕ io exception

    javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

            at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)

            at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)

            at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)

            at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:173)

            at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)

            at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)

            at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)

            at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)

            at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)

            at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)

            at com.couchbase.lite.support.RemoteRequest.executeRequest(RemoteRequest.java:126)

            at com.couchbase.lite.support.RemoteRequest.run(RemoteRequest.java:83)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)

            at java.lang.Thread.run(Thread.java:841)

04-04 09:44:06.708  27762-28031/ideal.fill.in D/Database﹕ com.couchbase.lite.replicator.Replication$5@4247d450 error getting remote checkpoint: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

04-04 09:44:06.718  27762-28031/ideal.fill.in E/Database﹕ Puller@42323d18[https://---:---@xxxxxxxx.iriscouch.com/groups] Progress: set error = javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

Is there any I can resolve this? or what could be a cause for that?

Url that I use for pulling from the database is https://admin:password@....

[Jens Alfke]

On Apr 4, 2014, at 12:56 AM, Anna <kryhitka...@gmail.com> wrote:

Is there any I can resolve this? or what could be a cause for that?

I don’t know the details, but since the exception is "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate”, it sounds like the server doesn’t have a valid SSL certificate.

If you access the server’s URL using a web browser, do you get a security alert?

—Jens

[Anna]

No, no problems on the web, no security alert.

[Traun Leyden]

I think that site must be using a self-signed certificate, or is using a certificate that is not signed by a "standard" certificate authority that's pre-shipped with the http client libs.

There's a way to plugin a custom SSLSocketFactory that should allow you to circumvent the issue:

https://github.com/couchbase/couchbase-lite-android/wiki/FAQ-Android#q-how-can-i-connect-to-a-sync-gateway-via-https-which-does-not-have-an-ssl-cert-signed-by-a-root-authority

--
You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/94a5f613-439f-46b3-974b-d31c393400b2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jens Alfke]

On Apr 4, 2014, at 3:12 PM, Traun Leyden <traun....@gmail.com> wrote:

I think that site must be using a self-signed certificate, or is using a certificate that is not signed by a "standard" certificate authority that's pre-shipped with the http client libs.

There's a way to plugin a custom SSLSocketFactory that should allow you to circumvent the issue:

Putting on my security hat (made of tinfoil):

If you do this, be cautious. Do not override SSL verification to always succeed, or to check only the hostname. The right thing to do is to embed your server’s self-signed cert, or the nonstandard root cert that signed it, into your app and tell the SSL verifier to use that as a trusted cert. Otherwise you leave yourself open to various forms of man-in-the-middle attack where someone with control over the app's DNS (i.e. via a hacked WiFi router) can point it to a fake server.

This isn’t just hypothetical. If you’ve seen recent headlines about “Thousands of iOS and Android apps found vulnerable to SSL attacks”, this is what they’re talking about. There are real-world WiFi router hacks that do this for some servers used by popular apps, and it’s not impossible that someone might do it to you if your app gets popular enough…

—Jens

[Anna]

In the solution that was suggested, one should use CBLHttpClientFactory from com.couchbase.cblite that has the function setSSLSocketFactory.

If I have compile 'com.couchbase.cblite:CBLite:1.0.0-beta2' in my project gradle file, this CBLHttpClientFactory is not accessible. How can I have in my project ?

[Traun Leyden]

In beta2 there was a mass re-naming to remove the CBL prefix, since that's not idiomatic for Java.

So CBLHttpClientFactory has been renamed to HttpClientFactory.

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/8f0e06a7-aafb-4b10-8151-34830622632b%40googlegroups.com.

[Anna]

The http-client-factory class that has the method to get instance and to set the ssl socket is called CouchbaseLiteHttpClientFactory.

The problem is that CouchBaseLite does not use this class for requests to the database (class RemoteRequest ), but the mentioned about HttpClientFactory which does not have this functionality at all. thus, it is possible to use the solution with the ssl socket with the current version of CouchBaseLite in some way?

[Traun Leyden]

I think I may have pointed you in the wrong direction.  I should have said CBLHttpClientFactory has been renamed to CouchbaseLiteHttpClientFactory, not HttpClientFactory.

There is a "quasi-public" API that will allow you set a custom SSLSocketFactory.  Here is an example of using it:

https://gist.github.com/tleyden/11193162

(code snippet taken from https://github.com/couchbase/couchbase-lite-java-core/pull/9 and adapted for now class names)

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/553c176b-dddf-438a-b501-c8bbc23d1efd%40googlegroups.com.

[Anna]

I have updated to 'com.couchbase.lite:couchbase-lite-android:1.0.0-55' and now the solution using:

CouchbaseLiteHttpClientFactory.INSTANCE.setSSLSocketFactory(sf);

won't work because one cannot access INSTANCE this way anymore. Is there any other solutions available as the Couchbase lite Android was updated?

[Michael Hines]

You have to do it like this:

((CouchbaseLiteHttpClientFactory) manager.getDefaultHttpClientFactory()).setSSLSocketFactory(sf);

Way too complicated, but that's what the source code says =).

- Michael

[Traun Leyden]

Actually I don't think that will work, because manager will probably return null unless you've set one previously.

I filed an issue with a possible workaround here: https://github.com/couchbase/couchbase-lite-java-core/issues/223

--

You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/e0ee727d-0169-4c5e-9510-aa7f4bb6233d%40googlegroups.com.

[Michael Hines]

You can set one by getting the one from the database you just opened to setup the replication:

PersistentCookieStore cookieStore = database.getPersistentCookieStore();

CouchbaseLiteHttpClientFactory factory = new CouchbaseLiteHttpClientFactory(cookieStore); 

manager.setDefaultHttpClientFactory(factory);

factory.setSSLSocketFactory(sf);

It works fine for me.

[Michael Hines]

Looks like you beat me to it =). Nice.

[asif ahmed]

As everyone said it is happing because of untrusted server certificates.There are few more reason to get this exception,

Changed in date & time in device.

Slow internet connection.

Here what I see in your code is your using a thread pool executer to call an apis.

make some delay of approx 1 or 2 sec in each,in order to minimise this error...hope it will help you.