×

Discussion Board

Results 1 to 9 of 9

Hybrid View

  1. #1
    Registered User
    Join Date
    Feb 2013
    Posts
    41

    Unhappy Using self-issued certificates with secure socket connections (SSL)?

    Hi there!

    I need to talk to a server over a secure socket connection (SSL). Unfortunately, the server that I need to talk to is using a self-issued certificate and so whenever I try to open up a connection to it:

    Code:
    (SecureConnection) Connector.open("ssl://blah.com:79")
    I get a CertificateException with the code UNRECOGNIZED_ISSUER which apparently is because the matching certificate is not on the device's keystore as it is self-issued.
    Now what I need to know is how I can import a self-issued certificate into the device's keystore programatically so that when I open up a socket connection via SSL to the server
    that uses a self-issued keystore, the network client API will recognize the certificate, the handshake will be complete, and the connection will be opened.

    I've looked at the MIDP GCF and it seems to be pretty limited in what it can do. I also tried looking up BouncyCastle as it is one of the popular network library out there and that it supports
    J2ME but it is a very confusing API and I can't really figure out where to start on that one.

    I have been struggling with this problem for a while and I hope that somebody can help me on this. I'd prefer to not use BouncyCastle as it looks like a lot of API for a simple task that I am trying to
    accomplish but if this is the only choice, a simple snippet on how to do it would be really helpful!

    Sincerely,
    Jim

  2. #2
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Using self-issued certificates with secure socket connections (SSL)?

    How to do this is specific to the device - you can't do it from within your application.

    What device are you using?

    This conversation mentions installing certificates on phones by deploying from a webserver - this is easy, provided you have the correct file type and the right MIME type configured on the web server.

    Graham.

  3. #3
    Registered User
    Join Date
    Feb 2013
    Posts
    41

    Re: Using self-issued certificates with secure socket connections (SSL)?

    Thanks for the quick reply! I am working with Asha 311 and C3-00.

    You have mentioned that I cannot do it from within my application. And If I get what was posted in the link that you sent correctly, what this boils down to is for the user to manually download the certificate from a web server by using a web browser - and if the mime type is set correctly, then the browser would do the installation for you - is this correct? If this is the case, then this method is only good for testing since asking for users to do this procedure before using the product is just too much to ask. Let me know if I misunderstood this.

  4. #4
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Using self-issued certificates with secure socket connections (SSL)?

    Quote Originally Posted by lordbritishix1982 View Post
    If I get what was posted in the link that you sent correctly, what this boils down to is for the user to manually download the certificate from a web server by using a web browser - and if the mime type is set correctly, then the browser would do the installation for you - is this correct?
    That would be my understanding. Unless traud replies and tells us otherwise - he knows more than me on this subject.

    Quote Originally Posted by lordbritishix1982 View Post
    If this is the case, then this method is only good for testing since asking for users to do this procedure before using the product is just too much to ask.
    That's down to what you think your users will stand. But life is simpler (if also more expensive) if you buy a certificate that the devices will recognize. For that, you need some idea of your users' devices. If they could be old, you're safer going with Thawte or VeriSign. If they're newer, they probably have a broader ranger of root certificates pre-installed... take a look on the device you have (or use Remote Device Access) to see what was factory installed. You might be able to get a server certificate for a little as £40.

    Oh, you can launch the browser to a specific URL from within the app, if that helps... detect the error, catch it, tell the user they need to install the certificate, then launch the browser, ...

    Graham.

  5. #5
    Registered User
    Join Date
    Feb 2013
    Posts
    41

    Re: Using self-issued certificates with secure socket connections (SSL)?

    Ah.. that's unfortunate - well thank you so much for your help!

  6. #6
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104

    Re: Using self-issued certificates with secure socket connections (SSL)?

    Quote Originally Posted by lordbritishix1982 View Post
    how I can import a self-issued certificate into the device's keystore programatically
    In Series 40, you cannot. Or said differently: I am not aware of any such a API.

    However, there are several other options:
    1. Convince the original server maintainer to go for a well-known certificate.
    2. Sponsor the original server maintainer the price for a well-known certificate – because they are rather cheap, save yourself and your users a bit of time
    3. Buy your own certificate and built a SSL proxy, for example with stunnel
    4. Use stunnel as SSL client, only (not need to buy a certificate)
    5. Place the certificate authority on your server and install the certificate authority via MIDlet.platformRequest
    6. Install the certificate authority via Bluetooth
    7. Install the certificate authority on your phones via web browser

    Option E and G require the delivery of your file as MIME media type application/x-x509-ca-cert. The current version of the Nokia Xpress Interet browser does not support this file type. This affects option G. For such devices, you have to use the traditional Internet browser
    • Full-Touch:
      1. open the app Files
      2. open the folder About
      3. touch Open Source Software Notices
      4. via the arrow, expand the options
      5. touch the star for bookmarks
      6. in the upper right corner, touch the Plus
      7. enter the address of your certificate and go for that
    • Other models like Touch and Type:
      1. open the Menu
      2. open the icon Apps.
      3. open the app Gallery
      4. open the folder About
      5. open the file Licences
      6. via the arrows, expand the options
      7. Go to address
    Devices with the traditional Internet browser, just use ‘Internet » Go to address’. Those devices have a menu structure like: Menu » Internet » Bookmarks » About » Licenses.

    Why this this so complicated? The MIDP creators were afraid of a security punch when it comes to certificate authorities. Therefore, they did not think about this scenario although it could have been added for signed MIDlets quite easily. Nobody did unfortunately. Option G is a real pain for me, because I deal with VoIP and SIPs/sRTP. Furthermore, there are zillions of misconfigured SSL browser out there, and adding a certificate is even more complicated than convincing the original site maintainer.

Similar Threads

  1. Secure Socket bug !!
    By rokroff in forum Symbian
    Replies: 1
    Last Post: 2010-01-12, 08:14
  2. Secure your Online Store with SSL Certificates
    By zorpian in forum Series 40 & S60 Platform Feedback Archive
    Replies: 0
    Last Post: 2006-11-22, 12:55
  3. Test certificates and network connections...
    By 2226cc in forum Mobile Java Networking & Messaging & Security
    Replies: 9
    Last Post: 2006-11-03, 17:21
  4. Sample code which uses the Push Registry with socket socket and datagram connections
    By mukteshwar in forum Mobile Java Networking & Messaging & Security
    Replies: 1
    Last Post: 2006-04-12, 08:40

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •