Secured webpage fails to get a valid response from an android nanohttpd web server due to self-signed certificate (localhost)

I have a secured (ssl) web page running on an android device while there is also a native android application with a web server inside which runs on the same device. The inner web server listening to https requests. (Using NanoHttpd for android)

In order for the web page and the web server to communicate (by AJAX requests) I have installed a self signed certificate in the android native app.

Here is the related code at the android native app (web server):

sslServer = new WebServer(PORT);
SSLServerSocketFactory mySSLSocketFactory = NanoHTTPD.makeSSLSocketFactory("/mybks.bks", “myPassword”.toCharArray());
SSLServerSocket ss =(SSLServerSocket) mySSLSocketFactory.createServerSocket(); sslServer.makeSecure(mySSLSocketFactory,ss.getSupportedProtocols());
sslServer.start(600);
The problem is that the self signed certificate wasn’t issued by a known certificate authority (CA) - so the ajax request fail to get a valid response from the web server.

BUT - if I try to go to the browser and request the https url (which fails upon my ajax request) that points to my running NanoHttpd web server I get the message saying “You connection is not private” and by clicking the “Proceed to ____ (unsafe)” everything starts working.

enter image description here

I thought that there should be some kind of solution regarding this problem so I would not need in any new android device to do the same thing and allow it once in order it to work in the next attempts.

Hi,

First of all, Do you use a domain name to connect? (Because if you don’t, you can’t obtain a trusted certificate from any known CAs.

Thank you.

You might want to ask on an Android development forum whether there’s a standard recommendation that applies to this case. As @stevenzhu suggests, you probably won’t be able to use a trusted certificate because you would have to prove your control over a specific domain name (and you’re not allowed to distribute the associated private key to the public in this case).

This explains how to trust other certificates in your client application:

https://developer.android.com/training/articles/security-ssl.html#UnknownCa

It also briefly discusses how to trust any certificate regardless of validity, the code equivalent of just bypassing the security warning, but it also explains why that is a really bad idea.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.