Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
New Contributor
Posts: 5
Registered: ‎05-31-2012
My Device: Curve 9300

Validating SSL Certificates with the Application

Hi all,

 

I have an application that connects to a web service over HTTPS. I want to ensure that this channel is secure by ensuring that the server has a valid SSL certificate.

 

To test this I've tried making connections to a server with an invalid SSL certificate. The problem is the user is always given the option of trusting the invalid SSL certificate.

 

Is there a way for me to make a connection and not give the user the option of trusting the an invalid SSL certificate. Or for the application to detect that an invalid SSL certificate has been used and not proceed with the connection?

 

Below is an example of code I've been using to make a conncetion.

 

httpsConn = (HttpsConnection)Connector.open(connectionString);
Certificate cert = httpsConn.getSecurityInfo().getServerCertificate();

 

From the certificate I can only check things such as issuer name etc. none of these guarantee a trusted certificate as these can all be spoofed. I need a way to verify the chain.

 

Any help would be greatly appreciated!

 

Zak

BlackBerry Development Advisor
Posts: 15,727
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: Validating SSL Certificates with the Application

Are you looking to disable these completely on the device?  A BlackBerry Enterprise Server administrator can configure their users so that untrusted connections are not allowed.  This is done via IT Policy settings on the BES.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
New Contributor
Posts: 5
Registered: ‎05-31-2012
My Device: Curve 9300

Re: Validating SSL Certificates with the Application

Thanks for the reply. I am aware that it is possible through IT policy. However, I am looking for a solution that can be used for normal consumers that are not hooked up to a BES environment.

 

The two ways below would be acceptable:

  1. Make a connection such that the user cannot trust an invalid certificate. Can an application initiate a connection in this way without relying on the device's security settings?
  2. The application verifies the authenticity of the server's certificate and terminates the connection if it is not valid. In this case it wouldn't matter if the user trusts the certifcate, the application can just terminate the connection. Is it possible through the application?

Thanks,

Zak

BlackBerry Development Advisor
Posts: 15,727
Registered: ‎07-09-2008
My Device: BlackBerry PRIV
My Carrier: Bell

Re: Validating SSL Certificates with the Application

There is no system built in for third party applications to configure this for itself or switch to disable untrusted connections.

Mark Sohm
BlackBerry Development Advisor

Please refrain from posting new questions in solved threads.
Problem solved? Click the Accept As Solution button.
Found a bug? Report it using Issue Tracker
Highlighted
New Contributor
Posts: 5
Registered: ‎05-31-2012
My Device: Curve 9300

Re: Validating SSL Certificates with the Application

Thanks again for the reply. So there is no way for an application to disable a connection to a server with an untrusted SSL certificate. Is there any way for an application to detect that an untrusted SSL certificate is being used? Thanks, Zak