My question:
Has anyone successfully authenticated the SSL connection with client certificate in Android 2.1/2.2 with multiple cert chain?
The details:
I am trying to implement a client certificate authentication for Android platform. There are plenty of discussion already in StackOverflow on how to do it using KeyStore and I am following the standard approach by supplying them to the SSLContext.
context.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers() ,null);
My client certificate has 3 certificates attached to it forming a cert chain. In Android 2.3+, the SSL handshake is successfully executed and I could move on with the request.
In Android 2.2 however, the same approach would throw "bad certificate error"
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (external/openssl/ssl/s3_pkt.c:1139 0x26bd38:0x00000003) at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeconnect(Native Method) at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:316) at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLOutputStream.(OpenSSLSocketImpl.java:564) at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:479)
This is the same error if I issue OpenSSL command with incomplete certificate chain in CAfile argument:
openssl s_client -showcerts -cert [certificateFile] -key [keyFile] -connect [ip:port] -CAfile [cert-chain]
Which lead me to believe that Android 2.1/2.2 does not inspect the full chain. To be sure I check out the number of chain in KeyStore by using getCertificateChain()
method.
I was looking for a bug in Android related to my question, but haven't found any. Similar questions have been posted in SO without answer
- ssl-not-working-on-android-2-2-only-in-2-3
- android-2-2-ssl-library-error. The last comment by Nikolay Elenkov in the only answer seem to indicate the same conclusion that I have, but I can't find any documentation backing it
This seems indeed a bug with Android 2.1/2.2.
What I did is ask our administrator to create another client certificate that is issued directly by the Root CA. After having that certificate, I put that as resource in the code and it works without any modification other than having the KeyStore point to the new certificate.
来源:https://stackoverflow.com/questions/9538714/android-2-2-ssl-bug-with-client-certificate