Open omigeot-ccpo opened 12 years ago
luelista
commented
12 years ago I don't know why this happens - I'm using the internal android api functions to do these web requests, so they should work the same as browser, and I can't really change their behaviour.
What I could try is to provide a setting to completely disable any certificate checks.
omigeot-ccpo
commented
12 years ago Le 13/06/2012 21:41, Max Weller a écrit :
I don't know why this happens - I'm using the internal android api functions to do these web requests, so they should work the same as browser, and I can't really change their behaviour. I'm trying to find some litterature on the subject, but my Java knowledge is getting pretty old and unused. At the very least, it seems that browser and internal API funcs are NOT supposed to work the same. At least on Gingerbread, where browser doesn't support SNI (name based VHost through SSL), but API functions do. That's what leads me into thinking SNI isn't the problem, but something else in the way StartSSL works - something about their intermediate CA maybe. What I could try is to provide a setting to completely disable any certificate checks. That would be a very nice workaround, of course. A slightly better one would be to allow self-signed certs - just keeping their fingerprints and raising an alert when they change.
But the fight isn't over yet :)
Olivier
When logging in with HTTPS (on an SNI enabled host), an exception occurs : javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
This happens on several Android versions (2.3 and 4.0 tested), and only on some servers (zottel's and abcentric.net, for now).