Android Client certificate 403

Question

i am trying to establish a connection between android device and a web service using ssl with client certificate (server check as require client certificate), the certificate on the server is signed by CA (go-daddy) i also have a client certificate (*.pfx), i fallowed this tutorial to attach the client certificate file, i am calling the web service using ksoap2, i keep getting error 403, but from the device (or pc) web browser its working fine (after installing the certificate)... i don't know much about client certificate but it seems to me like the connection is not using my certificate in the correct way.

when i was testing with self sign certificate it all work well.

any ideas what i am doing wrong? my ksoap2 kod:

public void GetUser(String user_name, String password, boolean isSchedule,
        boolean writeTostatistic) throws Exception {

    Log.d(GlobalUtil.TAG_LOG, "Calling GetUser()  web service");
    String METHOD_NAME = "GetUser";
    globalUtil.user = new User();
    User us = new User();
    HttpsTransportSE httpTransport = new KeepAliveHttpsTransportSE(host,
            port, file, timeout);

    SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(
            SoapEnvelope.VER12);
    SoapObject Request = new SoapObject(NAMESPACE, METHOD_NAME);
    httpTransport.debug = true;
    envelope.dotNet = true;
    envelope.headerOut = new Element[1];
    envelope.headerOut[0] = elementHeaders;

    Request.addProperty("user_name", user_name);
    Request.addProperty("password", password);
    Request.addProperty("isSchedule", isSchedule);
    Request.addProperty("writeTostatistic", writeTostatistic);
    envelope.implicitTypes = true;
    envelope.setOutputSoapObject(Request); // prepare request

    envelope.addMapping(NAMESPACE, "User", new User().getClass());

    if (useCertificate) {
        try {
            ((HttpsServiceConnectionSE) httpTransport
                    .getServiceConnection())
                    .setSSLSocketFactory(sSLContext);
        } catch (IOException e) {

            e.printStackTrace();
        }
    } else
        allowAllSSL();

    List<HeaderProperty> httpHeaders = null;
    try {

        httpHeaders = httpTransport.call(SOAP_ACTION + METHOD_NAME,
                envelope, null);

        SoapObject response = (SoapObject) envelope.getResponse();

        if (response == null)
            return;

        us.Id = Integer.parseInt(response.getProperty("Id").toString());
        if (!response.getProperty("User_Name").toString()
                .equals("anyType{}"))
            us.User_Name = response.getProperty("User_Name").toString();
        if (!response.getProperty("Password").toString()
                .equals("anyType{}"))
            us.Password = response.getProperty("Password").toString();
        if (!response.getProperty("USER_HEBREW_FIRSTNAME").toString()
                .equals("anyType{}"))
            us.USER_HEBREW_FIRSTNAME = response.getProperty(
                    "USER_HEBREW_FIRSTNAME").toString();
        if (!response.getProperty("USER_HEBREW_LASTNAME").toString()
                .equals("anyType{}"))
            us.USER_HEBREW_LASTNAME = response.getProperty(
                    "USER_HEBREW_LASTNAME").toString();

        us.Merhav = Integer.parseInt(response.getProperty("Merhav")
                .toString());
        us.Yaam = Integer.parseInt(response.getProperty("Yaam").toString());
        us.Tat_Mifal = Integer.parseInt(response.getProperty("Tat_Mifal")
                .toString());
        us.Ezor = Integer.parseInt(response.getProperty("Ezor").toString());
        us.EzorLahatz = Integer.parseInt(response.getProperty("EzorLahatz")
                .toString());
        /*
         * us.PasswordExpirationDate=(Date)
         * response.getProperty("PasswordExpirationDate");
         */
        us.PasswordExpirationDate = User
                .ParsePasswordExpirationDate((response
                        .getProperty("PasswordExpirationDate").toString()));
        us.Password = password;
        globalUtil.user = us;
        SetSessionCookie(httpHeaders);
        Log.d(GlobalUtil.TAG_LOG, "Finish calling GetUser()  web service");

    } catch (IOException | XmlPullParserException e1) {
        if(e1!=null)
        {
            Log.e(GlobalUtil.TAG_LOG, e1.getMessage());
             throw e1;
        }
        Log.e(GlobalUtil.TAG_LOG, "Error in Login web service.");
        Log.e(GlobalUtil.TAG_LOG, "requestDump: "
                + httpTransport.requestDump);
        Log.e(GlobalUtil.TAG_LOG, "responseDump: "
                + httpTransport.responseDump);
    }

Answer 1

It is probably too late for you, but I am in a similar situation...

Older versions of Android (and pre-1.7 Java) had problem with (lack of) SNI in SSL. Supposedly this has been fixed since 2.3, but I believe somehow I have managed to mimic this bug in my 5.0 Android emulator. (Probably by using custom socket context factory.) In a browser I can access the URL using the same keystore/truststore, from Android I get 403.

What makes me believe that indeed lack of Server Name Indication is the cause...

openssl s_client -tls1_2 -connect myhost.domain.com:443 -state -cert client.crt -key client.key -pass pass:******** -CAfile server.cer -servername myhost.domain.com

...omitting the -servername param at the end results in 403, which is exactly what my Android code achieves. :D