Netroid icon indicating copy to clipboard operation
Netroid copied to clipboard
verified publisher icon vince-styling

SSLPeerUnverifiedException when providing self-signed Certificate on SSLSocketFactory

Open GrayCygnus opened this issue 7 years ago • 4 comments

Hello there. First of all I want to congratulate you for such fine Library @vince-styling :) I have been struggling for days with alternatives and this one I tried and read and seems neat (although I don't know Chinese, the code is really self-explanatory).

Now, I am having an issue when providing my SSLSocketFactory to the HurlStack. The error I get reads (with xx on my sensible data):

javax.net.ssl.SSLPeerUnverifiedException: Hostname x.x.x.x not verified: certificate: xxxx DN: CN=xx.xx,O=xx,L=xx,ST=xx,C=xx subjectAltNames: []

Before finding this great library, I successfully used my self-signed Certificate and was able to talk to my API via HTTPS, by setting it my SSLSocketFactory as done in the HurlStack. However, to be able to do that, I also had to specify a HostnameVerifier to the HttpsURLConnection. As of right now I pass my custom HostnameVerifier to the connection and it works ok.

Reading the source code, it seems to me that Netroid does not set a HostnameVerifier to the connection (as far as I understand, I could be wrong though), specifically on:

https://github.com/vince-styling/Netroid/blob/7e67a08db8fecfee9d8c9ac4be625da108c4012c/library/src/main/java/com/vincestyling/netroid/stack/HurlStack.java#L163-L167

What do you suggest I can do to overcome this situation, so I can set my own HostnameVerifier?

Thanks :)

GrayCygnus avatar May 23 '18 18:05 GrayCygnus

I guess that the HurlStack could be added an extra parameter to the constructor where the HostnameVerifier is passed. Other option is not to add the parameter and instead add a generic HostnameVerifier if the connection is HTTPS, that just returns true, something like:

((HttpsURLConnection) connection).setHostnameVerifier(new HostnameVerifier() {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        //custom verification here if desired
        return true;
    }
});

I suppose I could download the source code and add it myself, but want to hear what you think first.

GrayCygnus avatar May 23 '18 19:05 GrayCygnus

Now that I think of it, is there a way to pass Authentication credentials to the connection?

GrayCygnus avatar May 23 '18 22:05 GrayCygnus

Now that I think of it, is there a way to pass Authentication credentials to the connection?

I answered myself on this one. This can be achieved by providing an overrided FileDownloader, similar to this example: https://github.com/vince-styling/Netroid/blob/7e67a08db8fecfee9d8c9ac4be625da108c4012c/sample/src/main/java/com/vincestyling/netroid/sample/FileDownloadActivity.java#L130-L141

Where one would then call instead:

addHeader("Authorization", "Basic "+yourAuthCredentials)

Regarding the HostnameVerifier I still ignore how to pass it without having to reimplement the HurlStack class... will continue trying alternatives.

GrayCygnus avatar May 24 '18 16:05 GrayCygnus

sorry, It's been a long time, I pay no time here.

vince-styling avatar Oct 12 '18 06:10 vince-styling