Thanks Nikolay, Don't know if it was obvious from my post, but I'm developing an app, which communicates with a payment service provider, which I trust. The apps should be deployed on many customers mobiles. The customers trusts this app and use it for trading goods. They should not be worried about certificate issues. Further response is embedded below:
On Aug 3, 6:30 pm, Nikolay Elenkov <[email protected]> wrote: > On Thu, Aug 4, 2011 at 1:06 AM, hhenne <[email protected]> wrote: > > Hi, > > > My first post to this list - I think. > > > When calling a payment service (HTTPS) from an Android 2.3 (Google > > Nexus S) mobile, I got an exception from validation of the server > > certificate. It is a valid certificate - no problem when calling the > > same service from an IPhone. > > Valid and trusted are two different things. If the Android trust store > doesn't contain the issuer of the certificate, you will get an error. Where is the Android trust store, and can I as the app developer access this trust store ? > > > It seems to be a well known problem - googling for it, gives a lot of > > hits and also some suggestions how to solve it. I have tried a couple > > of them without success. > > What have you tried? Basically you need to supply your own > trust store containing the issuer of the server certificate (and > any other certificates needed to form a full chain, if any) The solutions was trying to skip the validation process. > > > Now I'm asking this forum, and hope somebody > > will direct me to a working solution. It is OK, if it only works on > > 2.3, and I really don't need the validation at all. > > Are you sure you don't need the validation? Is it OK , > if the payments go to a third-party server instead of yours/ > your partner's? How should that be possible ? My app is calling the payment service provider, which I trust. > > > W/System.err( 9056): Caused by: java.security.SignatureException: > > Signature was not verified > > This actually sounds like a broken certificate, not a trust problem. > Can you post it somewhere? Here is the response from calling the server with curl from my PC - the certificate issuer is represented in the trust store on my PC : curl -verbose "https://secure.quickpay.dk"; * About to connect() to secure.quickpay.dk port 443 (#0) * Trying 193.162.142.172... connected * Connected to secure.quickpay.dk (193.162.142.172) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: serialNumber=ZKv/oWumfVRvqnb-xqFxf-If2UPPBAst; C=DK; O=secure.quickpay.dk; OU=GT15378717; OU=See www.geotrust.com/resources/cps (c)08; OU=Domain Control Validated - QuickSSL(R); CN=secure.quickpay.dk * start date: 2010-07-06 04:51:59 GMT * expire date: 2012-01-27 21:27:45 GMT * subjectAltName: secure.quickpay.dk matched * issuer: C=US; O=Equifax; OU=Equifax Secure Certificate Authority * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.21.0 (i686-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o > zlib/1.2.3.4 libidn/1.18 > Host: secure.quickpay.dk > Accept: */* > Referer: rbose > < HTTP/1.1 302 Found < Date: Wed, 03 Aug 2011 18:01:52 GMT < Server: Apache < Location: http://www.quickpay.net < Content-Length: 1 < Content-Type: text/html < * Connection #0 to host secure.quickpay.dk left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
