Using self signed certificate with couchbase lite on android?


#1

I am trying to use self-signed certificate in my Android App to communicate with sync gateway. My sync gateway instance is running with SSL. I am able to communicate to sync gateway with my web server.

But, when in app replication starts it is throwing error:

01-28 21:15:04.362 847-878/? E/Sync: com.couchbase.lite.replicator.ReplicationInternal$4@ac5e532: Session check failed
                                     javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
                                         at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328)
                                         at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:406)
                                         at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170)
                                         at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
                                         at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
                                         at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366)
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560)
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492)
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:470)
                                         at com.couchbase.lite.support.RemoteRequest.executeRequest(RemoteRequest.java:184)
                                         at com.couchbase.lite.support.RemoteRequest.run(RemoteRequest.java:103)
                                         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:423)
                                         at java.util.concurrent.FutureTask.run(FutureTask.java:237)
                                         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269)
                                         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
                                         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
                                         at java.lang.Thread.run(Thread.java:818)
                                      Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
                                         at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
                                         at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
                                         at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115)
                                         at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:556)
                                         at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
                                         at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
                                         at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:406) 
                                         at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170) 
                                         at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169) 
                                         at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124) 
                                         at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:470) 
                                         at com.couchbase.lite.support.RemoteRequest.executeRequest(RemoteRequest.java:184) 
                                         at com.couchbase.lite.support.RemoteRequest.run(RemoteRequest.java:103) 
                                         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:423) 
                                         at java.util.concurrent.FutureTask.run(FutureTask.java:237) 
                                         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269) 
                                         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113) 
                                         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588) 
                                         at java.lang.Thread.run(Thread.java:818) 
                                      Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
                                         at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318) 
                                         at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219) 
                                         at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115) 
                                         at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:556) 
                                         at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 
                                         at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324) 
                                         at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:406) 
                                         at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170) 
                                         at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169) 
                                         at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124) 
                                         at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492) 
                                         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:470) 
                                         at com.couchbase.lite.support.RemoteRequest.executeRequest(RemoteRequest.java:184) 
                                         at com.couchbase.lite.support.RemoteRequest.run(RemoteRequest.java:103) 
                                         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:423) 
                                         at java.util.concurrent.FutureTask.run(FutureTask.java:237) 
                                         at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269) 
                                         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113) 
                                         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588) 
                                         at java.lang.Thread.run(Thread.java:818) 
01-28 21:15:04.362 847-878/? E/Sync: com.couchbase.lite.replicator.PullerInternal@ff44cde: Progress: set error = javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I saw there is a method mentioned on this page in Cert Pinning :https://github.com/couchbase/sync_gateway/wiki/SSL-support . But unable to find any method with that with any object.

However I found another resource in documentation here : The SSL client API you’re using should have a function to either register a trusted ‘root certificate’, or to check whether two certificates have the same key.

I think this is also pointing to the same Cert Pinning I guess.

How can I use that in android? I have certificate in the assets folder. How can I instruct couchbase lite to use that certi for replication?


#2

This sample app provides a good example for using cert pinning on Android.

There’s a code snippet to explain how to pin the certificate:

HttpParams httpParams = new BasicHttpParams();

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keyStore), 443));

ThreadSafeClientConnManager clientMan = new ThreadSafeClientConnManager(httpParams, schemeRegistry);

httpClient = new DefaultHttpClient(clientMan, httpParams);

In the CBL SDK, you can create a new Couchbase Lite Http client factory and attach it on the manager class (see sample app readme to get the cert from the filesystem into a keystore object):

Database database = null;
try {
    database = manager.getDatabase("mydb");
} catch (CouchbaseLiteException e) {
    e.printStackTrace();
}
CouchbaseLiteHttpClientFactory clientFactory = new CouchbaseLiteHttpClientFactory(new PersistentCookieStore(database));
clientFactory.setSSLSocketFactory(new SSLSocketFactory(<keystore>));
manager.setDefaultHttpClientFactory(clientFactory);

James


#3

Comments from here (https://github.com/couchbase/couchbase-lite-java-core/pull/9#issuecomment-176432412) might help.


#4

Ohh that’s me only. Finally I came through that FAQ page that points out that issue page and finally I got it working. I think this should be documented in this page where you point out to get SSL working under Transport Layer Security (HTTPS) section may be?

Thank you so much for the example.

I found the details for SSL for iOS here. But nothing for android.

Sorry I was a bit late to reply here. But, now its working ! Yehh!


#5

how do u created the ssl certificate…m begainner , i’m traying to create ssl certificate…can u please tell me how do u create that??


#6

This thread might help you: https://stackoverflow.com/questions/2355568/create-a-openssl-certificate-on-windows


#7

I wrote a wiki page a while ago describing how to set up an SSL cert for Sync Gateway.