StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAndroid 2.3: HttpClient SSL certificate problem: Intermediate certificate lacks BasicConstraints
text
Body
copied!<p>I'm running into a problem using <a href="https://stackoverflow.com/questions/1217141/self-signed-ssl-acceptance-android/1217162#1217162">this method</a> to address a "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate" exception encountered using HttpClient 4. This, however, caused the following javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException:</p> <pre><code>System.err W javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Intermediate certificate lacks BasicCon straints System.err W at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:477) System.err W at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:750) System.err W at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:692) System.err W at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:93) System.err W at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83) System.err W at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170) System.err W at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106) System.err W at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129) System.err W at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:171) System.err W at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164) System.err W at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119) System.err W at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:359) System.err W at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) System.err W at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) System.err W at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465) System.err W at com.example.activities.AuthTest.onCreate(AuthTest.java:69) System.err W at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1047) System.err W at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1722) System.err W at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1784) System.err W at android.app.ActivityThread.access$1500(ActivityThread.java:123) System.err W at android.app.ActivityThread$H.handleMessage(ActivityThread.java:939) System.err W at android.os.Handler.dispatchMessage(Handler.java:99) System.err W at android.os.Looper.loop(Looper.java:130) System.err W at android.app.ActivityThread.main(ActivityThread.java:3835) System.err W at java.lang.reflect.Method.invokeNative(Native Method) System.err W at java.lang.reflect.Method.invoke(Method.java:507) System.err W at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:847) System.err W at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:605) System.err W at dalvik.system.NativeStart.main(Native Method) System.err W Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Intermediate certificate lacks BasicConstraints System.err W at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:161) System.err W at com.example.models.EasyX509TrustManager.checkServerTrusted(EasyX509TrustManager.java:80) System.err W at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:664) System.err W at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method) System.err W at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:474) System.err W ... 28 more System.err W Caused by: java.security.cert.CertPathValidatorException: Intermediate certificate lacks BasicConstraints System.err W at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertK(RFC3280CertPathUtilities.java:2127) System.err W at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:384) System.err W at java.security.cert.CertPathValidator.validate(CertPathValidator.java:197) System.err W at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:156) System.err W ... 32 more </code></pre> <p>I got around <em>that</em> by commenting out the following else block found in EasyX509TrustManager.java:</p> <pre><code>public void checkServerTrusted( X509Certificate[] certificates, String authType ) throws CertificateException { if ( ( certificates != null ) && ( certificates.length == 1 ) ) { certificates[0].checkValidity(); } //else //{ // standardTrustManager.checkServerTrusted( certificates, authType ); //} } </code></pre> <p><em>Voila!</em> And everything works as it should. The problem is that I really have no idea what the "Intermediate certificate lacks BasicCosntraints" exception means or if commenting out that else block introduces a security risk where I may be trusting invalid certificates.</p> <p>The original SSLPeerUnverifiedException did not occur on either Android 2.1 or 2.2, so this seems to be just a problem on Android 2.3+.</p> <p>Could someone please help me understand what exactly that exception means? And if this is a security risk, how would I begin to go about resolving this issue?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload