androidsslssl-certificatehttpsurlconnectionsslexception

Test for SSL attacks - possible to extract certificate of server after SSLException?


For a project, I want to test if anyone is tampering with the SSL connection. The HttpsUrlConnection is using a SSLContext with a pinned the certificate.

My question is: in case I get an SSLException, e.g. someones is trying to forge a wrong certificate, is there any way to get details about that certificate?

On a computer, using a browser (depending on browser and version) I will get a certificate warning and have an option to see details about the certificate.

I was wondering, if there is any way to get this using the HttpsUrlConnection or would there be another possibility? getServerCertificates()will not work at this point, as the connection has not been established, and I see no other option..


Solution

  • It turns out that starting from Android SDK 22, the exception thrown already includes details about the certificate.

    I could witness that devices running Android 21 would throw an IOException (Hostname not verified), while Android 22 is throwing an SSLPeerUnverifiedException, also giving details about the certificate.