Archived Forum Post

Index of archived forum posts

Question:

Android libs cannot verify server certs

Feb 25 '16 at 10:54

I'm using the android IMAP and SMTP libraries, and if I set RequireSslCertVerify = true on either of them, it will always fail:

09-07 18:37:47.318: D/ReportEmails(17379): checkServerCert:
09-07 18:37:47.318: D/ReportEmails(17379): Verifying server certificate...
09-07 18:37:47.318: D/ReportEmails(17379): validateServerCerts:
09-07 18:37:47.318: D/ReportEmails(17379): certListSize: 3
09-07 18:37:47.318: D/ReportEmails(17379): issuerDN_notFound: US, Equifax, Equifax Secure Certificate Authority
09-07 18:37:47.318: D/ReportEmails(17379): Unable to build certificate chain to root..
09-07 18:37:47.318: D/ReportEmails(17379): --validateServerCerts
09-07 18:37:47.318: D/ReportEmails(17379): SSL server certificate verification failed.
09-07 18:37:47.318: D/ReportEmails(17379): --checkServerCert

I've tried with several servers (example above is Gmail's SMTP cert) and none work. Do the Android libraries have problems loading the CA cert store on the device?

Answer

At the time of this post (9-Sep-2014) Chilkat does not have the ability to read Java keystores. Some possible workarounds are:

Convert the Java keystore to a PEM file containing the certs and then use the Chilkat TrustedRoots class to explicitly trust the certs in the PEM file.
or.. write Java code that opens the keystore, fetches each cert, and provides it to the Chilkat TrustedRoots object by calling AddCert for each.

Answer

I too ran into this issue. You'll need to do a bit of work to get the Android root system certs and load them into a CkTrustedRoots object. Here is my solution for loading up the system root certs

Chilkat HTTP for Android: Load System Root Certificates

Answer

Thanks Sean! I'll post this on the blog (cknotes.com) right now..

Answer

PS> I'm also going to link from the online refdocs for Java..