I have to establish ssl connection to https://xdm.telefonica.es:8096/
(on Android 2.2+)
Certificate chain of the server is (openssl s_client -connect
0 s:/C=ES/ST=Madrid/L=Madrid/O=TELEFONICA MOVILES ESPANA
SA./OU=Desarrollo de Servicios/CN=xdm.telefonica.es
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International
Server CA - G3
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Translating it into user-friendly form (CN, serial number):
0: xdm.telefonica.es, 0x64 4E 91 4B 13 33 CF 6C 1C 08 D2 9C 21 E0 C4 75
1: VeriSign Class 3 International Server CA - G3, 0x64 1B E8 20 CE 02 08
13 F3 2D 4D 2D 95 D6 7E 67
2: VeriSign Class 3 Public Primary Certification Authority - G5, 0x18 DA
D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
I extracted (adb pull /system/etc/security/cacerts.bks 2_3_4cacerts.bks)
cacerts.bks from my 2.3.4 Galaxy SII and listed all root certificates
(keytool -list -v -keystore 2_3_4cacerts.bks -storepass changeit
-storetype BKS -provider
bcprov-jdk16-146.jar). It turns out that root certificate (2:) is listed
as trusted, but intermediate one (1:) is not on the list. I checked also
Android 3.2: result is the same.
Simple code snippet:
DefaultHttpClient hc = new DefaultHttpClient();
returns famous javax.net.ssl.SSLPeerUnverifiedException: No peer
For comparison, for uri "https://mail.google.com" result is HTTP/1.1 200 OK.
Which one of the following directions should I take:
1. attach custom keystore to my application (as raw resource)
containing 0: certificate?
1. it would be troublesome, as 0: is issued for few months only and
the application would need updating on clients' devices
2. attach custom keystore to my application (as raw resource)
containing 1: certificate? would it fix my problem? (If yes, I guess
it would be the most preferable one?)
3. ask server owner to get new certificate that would be signed using
android-trusted certificate (we cooperate, so I guess it could be
4. any other approach? - apart from dismissing certificate check, that
is not acceptable
Thanks in advance,
The best thing about UDP jokes is that I don't care if you get them or not
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To post to this group, send email to email@example.com.
To unsubscribe from this group, send email to firstname.lastname@example.org.
For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.