I am trying to test out all aspects of the network security configuration capability of the N Developer Preview. I have most of it working, but I am stumped by the self-signed certificate scenario.
According to the docs, Android N should be happy with a PEM or DER file, as it is for other certificate validation scenarios. However, I do not work with self-signed certificates much, and my attempts to get this working keep running into certificate path validation exceptions.
For testing, I am using thin
as the server, running on my development machine, reachable by an N emulator. The self-signed certificate works for browsers on my development machine, and if I switch to running thin
sans SSL, apps can reach the server just fine. So, it's not a connectivity issue.
I created the self-signed certificate using the instructions on this site:
sudo openssl genrsa -out "/etc/[webserver]/ssl/example.key" 2048
sudo openssl req -new -key "/etc/[webserver]/ssl/example.key" \
-out "/etc/[webserver]/ssl/example.csr"
sudo openssl x509 -req -days 365 -in "/etc/[webserver]/ssl/example.csr" \
-signkey "/etc/[webserver]/ssl/example.key" \
-out "/etc/[webserver]/ssl/example.crt"
According to this Stack Overflow answer, the example.crt
file is a PEM file. Elsewhere, I see instructions for creating a "combined PEM" file. However, I tried both of these, with no luck.
In terms of the network security configuration stuff, I have tried both <domain-config>
and <debug-overrides>
. The latter looks like:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="@raw/selfsigned"/>
</trust-anchors>
</debug-overrides>
</network-security-config>
But, I get the validation error in either case.
What exactly should we be putting in as a PEM or DER file, as a raw resource, that makes this work?
The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app.
SSL pinning is a process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.
Cleartext is transmitted or stored text that has not been subjected to encryption and is not meant to be encrypted. As such, cleartext does not require decryption in order to be displayed. In its simplest form, cleartext is rendered as ASCII that can be read by any word processor or text editor.
This appears to be working on N Developer Preview 2, using the example.crt
generated by the openssl
scripts shown in the question. For the moment, I am going to assume that there was a change in N Developer Preview 2 compared to N Developer Preview 1 that accounts for the change.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With