Geek Answers Handbook

Using the UnboundID SDK with an SSL certificate file to connect to an LDAP server in an Android application

I am trying to connect to an LDAP server in my Android application and using the UnboundID SDK. Recently, changes have been made with unprotected access to secure LDAP, and I must modify the application accordingly. I was given an SSL certificate file for verification. I already used the file to create the keystore, as described here . I have this keystore file in the folder with the resources of my application, and I was torn from it. The code below does not work and throws an exception:

LDAPException (resultCode = 01 (connection error), errorMessage = ('An error occurred while trying to connect to the server place.myserver.com:636: javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException: Chain anchor for the certification path not found.

// code from above link AssetManager assetManager = getApplicationContext().getAssets(); InputStream keyStoreInputStream = assetManager.open("yourapp.store"); KeyStore trustStore = KeyStore.getInstance("BKS"); trustStore.load(keyStoreInputStream, "myPassword".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init(trustStore); // my code SSLUtil sslUtil = new SSLUtil(tmf.getTrustManagers()); LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory()); connection.connect("place.myserver.com", 636);

However, the code segment:

 SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory()); connection.connect("place.myserver.com", 636);

works (although I was informed above that it would be unsafe). I'm not quite sure what I am doing wrong here, so any help will be appreciated. Also, if there is a better way to do this than what I'm trying to do above, feel free to let me know :) I would like to stick with the UnboundID library, since since the rest of the code is already written using this as well, and everything works if I use TrustAllTrustManager.

+4
source share
1 answer

It is true that a trust manager is not safe. This is convenient for testing, but it will allow the bad guy to create his own server with a certificate that he generates for himself and use it to impersonate a real server or to work as a person in the middle, intercepting and potentially warning any connection between a client and a real server. With a stricter trust manager in place, the client must reject the dummy certificate, which will be submitted by a fake server.

Unfortunately, it looks like the trust manager you are trying to use in this case is not like the certificate that your server presents to it. Since trusting an entire trusted manager allows you to establish a connection, this means that your server has a certificate and is able to perform SSL connections, but there is something about the certificate that your trusted manager does not like. This is almost certainly not a problem with the LDAP SDK, since the same problem occurs with any other LDAP API if you use the same trust store.

If you look at the result, it has the message "The target anchor for the certification path was not found." This means that neither the certificate that the server uses, nor any of its issuers were found in the trust store. You will need to import the server certificate (or the certificate of one of its issuers) into the trust store that you use. It looks like you tried to do this, but since it does not work, something cannot be completely correct with how it was done. I would recommend working with the directory server administrator to make sure that you are trying to import the correct certificate based on the server configuration.

+3
source

More articles:


All Articles