My application which was working fine on 2.2 is broken on 2.3 due to a change in the way that the X509TrustManager callbacks have been implemented on Android 2.3. My application has a class which implements the X509TrustManager interface. It is called during the handshake with a server so that the user can make a decision about whether to trust the certificate.
On Android 2.2 and earlier the behaviour when this class was used is as follows: 1) The checkServerTrusted method is called by the framework 2) The user decides not to accept the certificate which results in my method throwing a CertificateException 3) This is caught by the framework and used to create a new SSLException 4) The SSLException is delivered to my networking code which handles the specific exception However on Android 2.3 using the emulator this interaction model has changed to the following 1) The checkServerTrusted method is called by the framework 2) The user decides not to trust the certificate which results in my method throwing a CertificateException 3) This is caught by the framework which AGAIN calls my checkServerTrusted method 4) The user is again prompted and again decides to not accept the certifcate which results in another CertificateException being thrown from my code 5) The framework catches this exception then generates an IOException that is delivered to my networking code with the detail message being "server xyz not verified" As you can see the behaviour is very different between earlier versions of Android and the latest 2.3 release. You can quite easily reproduce the problem using the browser as well, which has inherited the same bug. To do this make a HTTPS connection to a website that makes use of a self signed certificate. You'll be presented with a dialog that allows you to accept, view or reject the certificate. Clicking reject causes the same dialog to be shown one more time. Clicking reject a second time results in an empty screen being displayed. I'd suggest that something is broken in 2.3 in the way that the CertificateException thrown by the X509TrustManager is handled by the framework. I'm seeing a major change in the interaction between my application and the framework that I can reproduce using the Android browser. Thanks Lee -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
