i am trying to establish a connection between android device and a web service using ssl with client certificate (server check as require client certificate), the certificate on the server is signed by CA (go-daddy) i also have a client certificate (*.pfx), i fallowed this tutorial to attach the client certificate file, i am calling the web service using ksoap2, i keep getting error 403, but from the device (or pc) web browser its working fine (after installing the certificate)... i don't know much about client certificate but it seems to me like the connection is not using my certificate in the correct way.
when i was testing with self sign certificate it all work well.
any ideas what i am doing wrong? my ksoap2 kod:
public void GetUser(String user_name, String password, boolean isSchedule,
boolean writeTostatistic) throws Exception {
Log.d(GlobalUtil.TAG_LOG, "Calling GetUser() web service");
String METHOD_NAME = "GetUser";
globalUtil.user = new User();
User us = new User();
HttpsTransportSE httpTransport = new KeepAliveHttpsTransportSE(host,
port, file, timeout);
SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(
SoapEnvelope.VER12);
SoapObject Request = new SoapObject(NAMESPACE, METHOD_NAME);
httpTransport.debug = true;
envelope.dotNet = true;
envelope.headerOut = new Element[1];
envelope.headerOut[0] = elementHeaders;
Request.addProperty("user_name", user_name);
Request.addProperty("password", password);
Request.addProperty("isSchedule", isSchedule);
Request.addProperty("writeTostatistic", writeTostatistic);
envelope.implicitTypes = true;
envelope.setOutputSoapObject(Request); // prepare request
envelope.addMapping(NAMESPACE, "User", new User().getClass());
if (useCertificate) {
try {
((HttpsServiceConnectionSE) httpTransport
.getServiceConnection())
.setSSLSocketFactory(sSLContext);
} catch (IOException e) {
e.printStackTrace();
}
} else
allowAllSSL();
List<HeaderProperty> httpHeaders = null;
try {
httpHeaders = httpTransport.call(SOAP_ACTION + METHOD_NAME,
envelope, null);
SoapObject response = (SoapObject) envelope.getResponse();
if (response == null)
return;
us.Id = Integer.parseInt(response.getProperty("Id").toString());
if (!response.getProperty("User_Name").toString()
.equals("anyType{}"))
us.User_Name = response.getProperty("User_Name").toString();
if (!response.getProperty("Password").toString()
.equals("anyType{}"))
us.Password = response.getProperty("Password").toString();
if (!response.getProperty("USER_HEBREW_FIRSTNAME").toString()
.equals("anyType{}"))
us.USER_HEBREW_FIRSTNAME = response.getProperty(
"USER_HEBREW_FIRSTNAME").toString();
if (!response.getProperty("USER_HEBREW_LASTNAME").toString()
.equals("anyType{}"))
us.USER_HEBREW_LASTNAME = response.getProperty(
"USER_HEBREW_LASTNAME").toString();
us.Merhav = Integer.parseInt(response.getProperty("Merhav")
.toString());
us.Yaam = Integer.parseInt(response.getProperty("Yaam").toString());
us.Tat_Mifal = Integer.parseInt(response.getProperty("Tat_Mifal")
.toString());
us.Ezor = Integer.parseInt(response.getProperty("Ezor").toString());
us.EzorLahatz = Integer.parseInt(response.getProperty("EzorLahatz")
.toString());
/*
* us.PasswordExpirationDate=(Date)
* response.getProperty("PasswordExpirationDate");
*/
us.PasswordExpirationDate = User
.ParsePasswordExpirationDate((response
.getProperty("PasswordExpirationDate").toString()));
us.Password = password;
globalUtil.user = us;
SetSessionCookie(httpHeaders);
Log.d(GlobalUtil.TAG_LOG, "Finish calling GetUser() web service");
} catch (IOException | XmlPullParserException e1) {
if(e1!=null)
{
Log.e(GlobalUtil.TAG_LOG, e1.getMessage());
throw e1;
}
Log.e(GlobalUtil.TAG_LOG, "Error in Login web service.");
Log.e(GlobalUtil.TAG_LOG, "requestDump: "
+ httpTransport.requestDump);
Log.e(GlobalUtil.TAG_LOG, "responseDump: "
+ httpTransport.responseDump);
}
It is probably too late for you, but I am in a similar situation...
Older versions of Android (and pre-1.7 Java) had problem with (lack of) SNI in SSL. Supposedly this has been fixed since 2.3, but I believe somehow I have managed to mimic this bug in my 5.0 Android emulator. (Probably by using custom socket context factory.) In a browser I can access the URL using the same keystore/truststore, from Android I get 403.
What makes me believe that indeed lack of Server Name Indication is the cause...
...omitting the -servername param at the end results in 403, which is exactly what my Android code achieves. :D