Archived
This forum has been archived. Please start a new discussion on GitHub.
Secure connections with client certificates in Android
in Help Center
Dear developers.
We are testing Ice with Android for a multi-client application in which we will need secure communications. At the moment we are using Ice-3.5.1 and the hello application that comes with the Ice examples.
The non-secure communications worked without problems, but the secure ones did not. We then found in the Known Problems in Ice 3.5 that we have to set "IceSSL.VerifyPeer=0" in the server, which results in the server not requesting a certificate from the client. This made the demo application to run in (most of) our phones (not in all, but this does not belong to this thread).
The document states that "A limitation in Android 2.3 prevents the use of client certificates". This seems to imply that one cannot develop client applications in Android using client certificates at all, which in my inexpert eyes sounds like a strong "whole" in Android's side. However, from Android's documentation to me it seems that it is possible to use ssl and certificates.
A similar issue (if not the same) and solution were commented in the Known Problems in Ice 3.4.2, but this time the document seems to mention two issues: a bug in Android and an incompatibility issue between an Android client and an Ice for C++.
So, I am confused with all this. I would like to understand clearly whether this is a limitation in Android or Ice, and what is the cause of this incompatibility. Specifically I'd like to know whether we can use (and how) or will be able to eventually able to use ssl communications with certificates in Android using Ice.
Please bear in mind that I am not a security neither an Android expert, so I would appreciate detailed answers and/or references that help me understand clearly this issue.
Thanks in advance.
J.
We are testing Ice with Android for a multi-client application in which we will need secure communications. At the moment we are using Ice-3.5.1 and the hello application that comes with the Ice examples.
The non-secure communications worked without problems, but the secure ones did not. We then found in the Known Problems in Ice 3.5 that we have to set "IceSSL.VerifyPeer=0" in the server, which results in the server not requesting a certificate from the client. This made the demo application to run in (most of) our phones (not in all, but this does not belong to this thread).
The document states that "A limitation in Android 2.3 prevents the use of client certificates". This seems to imply that one cannot develop client applications in Android using client certificates at all, which in my inexpert eyes sounds like a strong "whole" in Android's side. However, from Android's documentation to me it seems that it is possible to use ssl and certificates.
A similar issue (if not the same) and solution were commented in the Known Problems in Ice 3.4.2, but this time the document seems to mention two issues: a bug in Android and an incompatibility issue between an Android client and an Ice for C++.
So, I am confused with all this. I would like to understand clearly whether this is a limitation in Android or Ice, and what is the cause of this incompatibility. Specifically I'd like to know whether we can use (and how) or will be able to eventually able to use ssl communications with certificates in Android using Ice.
Please bear in mind that I am not a security neither an Android expert, so I would appreciate detailed answers and/or references that help me understand clearly this issue.
Thanks in advance.
J.
0
Comments
-
Hi,
This was a problem with old Android versions (2.x), it should work with recent Android versions (4.x). On which Android version does it fail for you? Did you try with the certificates from the Ice source or demo distributions (the client.bks and server.bks files in the certs directory).
If you're starting a new project, I encourage you to try out the Ice 3.6 beta. The final release is due to be released very soon.
Cheers,
benoit.0 -
Hello Benoit, thanks for the prompt answer.This was a problem with old Android versions (2.x), it should work with recent Android versions (4.x). On which Android version does it fail for you? Did you try with the certificates from the Ice source or demo distributions (the client.bks and server.bks files in the certs directory).
.
The code we used is the one from the Ice-3.5 demos with no changes (we only changed the server IP on the configuration files).
Regarding the files of the certificates, on the server side we used Ice-3.5.1-demos/certs/server.jks, and in the phone we used the one within the android example (/Ice-3.5.1-demos/demoj/android/hello/res/raw/client.bks). So this one is not the one in the certs folder.
We tried with Android 4.4.2 and Android 5.0 phones, and both were initially not working until we disabled the verification of the client's certificate in the server.
After that, and I don't know how, eventually we managed to make it work in the 4.4.2, but not in the 5.0 phones (loading the exactly same program).If you're starting a new project, I encourage you to try out the Ice 3.6 beta. The final release is due to be released very soon.
Yes, thanks for the suggestion. We just did that, and now it seems to work in all our phones. I had to use the C++ code in the server side, cause I could not get the examples ready in java (issue for which I created another post).
So we will go for Ice-3.6, as the new features are also interesting. Is there an estimate of the official release date?
Regards and thanks.
J.0
