Hi everyone, I have decided to use the Funambol android client to sync my contacts with my private server. The client application connects nicely to my server over HTTP, but I would like it to use HTTPS. This is supposed to work flawlessly on sites with trusted certificates, but I do unfortunately only have a self-signed certificate (which results in a javax.net.ssl.SSLPeerUnverifiedException). My plan is therefore to add support for self-signed certificates to this application. As far as I understand there are four ways to do this:
1: Do not verify certificates at all. This is the easiest fix that solves my problem, but is considered horrible from a security perspective. I would like to avoid this solution. 2: Create a Bouncy Castle keystore and add my certificate to the client upon compile time. Does wonders for me, but is bad for others in my situation (not everyone want to compile all their android applications) 3: Make the funambol client use the certificates that a user has imported through the Settings->Security->Install_from_memory_card menu in android. Sounds like a good solution, but seems to be impossible to do for some reason. Never found a single comment on google on how to do this. (I did try to import my self-signed certificate, but I still get the SSLPeerUnverifiedException) 4: Make the funambol client warn about self-signed certificates - for then to remember the accepted certificates for later (the typical behavior of an email application). Probably the best way to do it. I have not found any pointers on how to do this on google though, but I guess I could bend my brain around the K-9mail source code and see if I understand what they have done. Anyway, can anyone tell me what is the "right" way to fix this issue so that users of an android applications can use both self-signed and globally trusted certificates - and that without sacrificing security completely? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
