06-01-2012 05:32 AM
I have an application that connects to a web service over HTTPS. I want to ensure that this channel is secure by ensuring that the server has a valid SSL certificate.
To test this I've tried making connections to a server with an invalid SSL certificate. The problem is the user is always given the option of trusting the invalid SSL certificate.
Is there a way for me to make a connection and not give the user the option of trusting the an invalid SSL certificate. Or for the application to detect that an invalid SSL certificate has been used and not proceed with the connection?
Below is an example of code I've been using to make a conncetion.
httpsConn = (HttpsConnection)Connector.open(connectionString); Certificate cert = httpsConn.getSecurityInfo().getServerCertificate()
From the certificate I can only check things such as issuer name etc. none of these guarantee a trusted certificate as these can all be spoofed. I need a way to verify the chain.
Any help would be greatly appreciated!
06-01-2012 09:28 AM
Are you looking to disable these completely on the device? A BlackBerry Enterprise Server administrator can configure their users so that untrusted connections are not allowed. This is done via IT Policy settings on the BES.
06-01-2012 09:42 AM
Thanks for the reply. I am aware that it is possible through IT policy. However, I am looking for a solution that can be used for normal consumers that are not hooked up to a BES environment.
The two ways below would be acceptable:
06-04-2012 09:57 AM
There is no system built in for third party applications to configure this for itself or switch to disable untrusted connections.
06-06-2012 06:20 AM