Problems connecting to a server using SSL

Ivo · February 10, 2017, 12:44pm

Hi,

We’re having troubles with Android-devices connecting to a server using SSL. Windows-clients are able to connect. When we switch SSL off, Android clients are also able to connect, but when using SSL the client is unable to connect. Due to company policy we have to use SSL.

Can someone specify which tls version and sub protocols the android client is exactly expecting?

alex · February 10, 2017, 1:04pm

It depends on the version of the Android OS on your device. There’s details from Google here on what is available here:
https://developer.android.com/reference/javax/net/ssl/SSLEngine.html

Android 4.4 onwards will do TLS 1.2 so that’s probably the best choice.

If your server is publicly accessible, running a Qualys SSL Labs test will tell you what versions of Android will be able to connect and which won’t.

https://www.ssllabs.com/ssltest/

Check however that the date and time are right on your device first, as that will prevent connection over SSL where connection over regular HTTP will work.

Ivo · February 10, 2017, 1:11pm

Hi Alex,

Thank you so much for the fast reply! We’re going to investigate your suggestions.

Ivo · March 2, 2017, 10:19am

Hi Alex,

I’ve updated my Android device and I’ve checked the date and time, but that doesn’t solve the problem. It probably has to do with the SSL-certificate. Therefore we manually installed the certificate the server users on the Android device, but when I try to connect to the CMS using a browser, it still doesn’t trust the certificate.

I know it’s not a Xibo problem, but do you have any idea what could be the problem?
The client and the CMS are both in an internal company network, could it have something to do with that?

Guru_Evi · March 3, 2017, 2:52pm

Are your SSL certificates signed by an external CA or internal CA? If you’re using an internal CA or an untrustworthy external CA (eg. StartSSL/WoSign) you have to add the CA manually. Your Android firmware should also be reasonably up-to-date because new CA’s and old or bad CA’s get added/removed quite frequently. If you can’t get an up-to-date Android firmware, then badger your manufacturer or ditch them altogether - trust me, having dealt with a number of them, it won’t get any better.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> ‘System’-section.

I personally have no problems using a LetsEncrypt certificate or Verisign certificates on Android. Make sure to add it to the system section, not the user section and you may have to reboot. You may also need root access. If you don’t have root access, then you may need to build a custom Android ROM with your CA baked into it.