Https connection, differences between Android 2.3 and 4

Question

I'm working on a project that retrieves images from different servers (http and https).

I found this usefull Q/A to avoid the problem of No peer certificate error in Android 2.3, but i can't understand why in Android 4 (>3) this problem ("No peer certificate error") was not presenting.

Please, correct me if I'm wrong:

• In Android 2.3 an HTTPS connection performs the whole certificate checks (and handshakes);
• In Android > 3 the HTTPS connection is established even if the handshake fails (Ex: my app, as the peer, has not the certificate).

What are the differences between these version of Android? Why I need to Trust all in Android 2.3 and not in Android 4?

Why in Android 2.3 I receive the following Exception: "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate error" while in Android 4 everything works fine and the connection is established?

Is everything related to SNI Server Name Indication, introduced in Android Honeycomb?

Answer 1

Your certifying authority probably is not listed in the 2.3.3 version of Android, but is in the 4.x version. To find out for sure check the keystore on both devices.

Using ADB from the command line you can dump out android's keystore to a file and check to see if that issuer is available in your keystore (may need to be root). adb pull /system/etc/security/cacerts.bks cacerts.bks

Download and install Portecle (from: http://portecle.sourceforge.net/) Select File / Open Keystore... and choose the cacerts.bks file. Select Tools / Keystore Report and copy that information into a text editor to look for the CN specified in the certificate found from the web browser. In my case I couldn't find one from "Cybertrust Public SureServer SV CA".

Browse to the website you are interested in using https://example.website.com/ on your computer web browser and find out who the CN is. Compare that to the keystore as shown above. If it is not in the keystore you will need to add it.

NOTE: Android 4.0 phones have a different method for storing certificates and don't use the cacerts.bks file mentioned below. For them you should be able to open the desired https site in the web browser and add the desired certificates that way.

I had connection issues to facebook and redbox. To fix my problem and update my android 2.3.3 phone certificates I copied the one from the android 3.2 emulator and put that on my phone:

1. Create and start an android 3.2 virtual device.
2. Copy the cacerts.bks file from the emulator (make sure your other device is not connected). adb pull /system/etc/security/cacerts.bks cacerts.bks
3. Disconnect the emulator.
4. Connect your device to be updated (must be root). You may need to remount the /system folder as rw for read/write capabilities. For mounting issues, see: this link
5. Save a copy of the old cert file from your device: adb pull /system/etc/security/cacerts.bks cacerts.bks.old
6. Put the updated cert file on your device adb push cacerts.bks /system/etc/security/
7. Reboot the device
8. Reconnect and verify the new cacert file was loaded.