Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

Asked 23/6, 2015 at 11:57 Answered 29/11, 2016 at 20:11

Solved android ssl okhttp pkcs#12 sslsocketfactory

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided to go with OkHttp as a replacement, and so far I like that very much.

However, I haven't found any other way to handle client certificate auth without using SSLSocketFactory, with OkHttp or anything else for that matter. So what would be the best course of action in this particular case? Is there another way with OkHttp to handle this sort of authentication?

Agitator answered 23/6, 2015 at 11:57 Comment(3)

SSLSocketFactory is not deprecated, either in the current shipping versions of Android or in the M Developer Preview. – Spun 23/6, 2015 at 12:4

Oh my god you are absolutely right, I never realised there were 2 classes SSLSocketFactory! org.apache.http.conn.ssl.SSLSocketFactory is deprecated but javax.net.ssl.SSLSocketFactory is not! Thanks a lot for this enlightenment. – Agitator 23/6, 2015 at 12:36

Conversely, I had not realized that HttpClient had their own SSLSocketFactory class. :-) – Spun 23/6, 2015 at 12:47

Apparently, there are two SSLSocketFactory classes. HttpClient has its own one, and that is deprecated along with the rest of HttpClient. However, everybody else will be using the more conventional javax.net.ssl edition of SSLSocketFactory, which is not deprecated (thank $DEITY).

Spun answered 23/6, 2015 at 12:48 Comment(0)

if you are using https, you have to use a valid certificate. During your dev stage you have to trust the certificate, how? sslSocketFactory(SSLSocketFactory sslSocketFactory) is deprecated and it's replaced by sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager), you have to update your gradle file the piece of code below will help you to get a trusted OkHttpClient that trusts any ssl certificate.

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
    throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, new TrustManager[] { trustManager }, null);
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(sslSocketFactory, trustManager);

Marguerite answered 29/11, 2016 at 20:11 Comment(4)

Thanks, the deprecated warning is removed simply by adding the trust manager. – Prelacy 20/2, 2017 at 14:21

I still get SSLHandshakeException: connection closed by peer – Infallibilism 13/6, 2018 at 20:0

I'm not expert in NTLM, but may you need to use an external library as JCIFS. – Marguerite 14/6, 2018 at 14:13

There is no reference of certificate in the code. – Samekh 3/8, 2022 at 12:29

Spun answered 23/6, 2015 at 12:48 Comment(0)

Recommended topics

Hot tags