Skip to content

Instantly share code, notes, and snippets.

@ptitov

ptitov/gist:1552664

Created January 2, 2012 23:45
Show Gist options
  • Save ptitov/1552664 to your computer and use it in GitHub Desktop.
Save ptitov/1552664 to your computer and use it in GitHub Desktop.
Download ZIP
How To Fix SSL Certificate Verification
Raw
gistfile1.md

To fix SSL verification error do one of the following:

Use http protocol instead of https for connection

If your server uses self-signed certificate, this is the most simple solution to solve the problem. If you experience problems using commercial certificate or private certificate authority (CA), please refer to the following sections instead of resorting to http protocol.

Contrary to the popular belief, disabling https altogether will not harm security if self-signed certificate is used on the server. Most often https is used to ensure that data connection between client and server will stay secure even in case of man-in-the-middle attack when third party has access to the communications channel. Unfortunately, self-signed certificate does not provide this level of security. Despite the fact that the data is encrypted, unauthorized third party may decrypt or even misplace data by intercepting the connection and re-encrypting it using its own self-signed certificate. There is no way to determine from the client whether it is communicating with a self-signed certificate installed on a legitimate server or an attacker's traffic interceptor.

Install server certificate from a trusted vendor

This is the most robust solution, preferred in most cases, as it provides high-grade encryption, ability to ensure that the connection stays secure and no need to configure client devices. Commercial vendors sell certificates for as low as 49$.

If the error still occurs using a commercial CA, ensure that you have configured certificate chain correctly.

Use own certificate authority and install its certificate on the mobile device

Own CA provides all security features of commercial certificates, yet does not involve any expenses. http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ offers an excellent step-by-step tutorial to creating a CA using OpenSSL.

To be able to use own CA, its certificate must be installed on all devices that connect to server to enable them to check server's identity. Follow the Google's guide on installing CA certificates on Android http://support.google.com/mobile/bin/static.py?hl=en&topic=1088950&guide=1091391&page=guide.cs&answer=168934 or use http://www.realmb.com/droidCert/ tool to do it from browser on a mobile device.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment