Android: Users with certain devices cannot use my application's web-services - SSLPeerUnverifiedException

Question

I have an application which interacts over https with a server I have. I have a valid certificate.

The application works fine for most users, but some users are reporting that they have problems connecting with their rooted devices. They are also reporting with the HTC Evo 2.3.3, with the upgrade from Sprint, the application has the same behavior.

I borrowed a friends' Evo, and was able to get the following stack-trace below. I have seen solutions for this which are basically 'accept all certs' but that is not possible since I am releasing this in production.

Has anyone seen a fix for this? Possibly storing my server's cert directly on the device?

06-24 15:15:52.051: WARN/ServiceOperation(1535): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:258)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:164)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:359)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
06-24 15:15:52.051: WARN/ServiceOperation(1535):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)

Answer 1

It seems related to a issue HTC created when they released 2.3.3. There's a bug report about it here: http://code.google.com/p/android/issues/detail?id=16885#c7

I'm going to hold off on hardcoding anything into the application, So I guess for now I won't support these users.