IBM Worklight 5.0.6: Direct Update - SSLHandshakeException

0
votes

My app connects to Worklight server through HTTPS through self-signed certificate. The app can be launched successfully.

However, when there is direct update which started downloading file from Worklight server, it is failed and I can see that there are error message regarding certification path not found.

May I know if the SSLHandshakeException and direct update error are correlated? Thanks!

(Environment: Worklight 5.0.6.1, WAS ND 8.5, Testing Device: HTC One)

10-31 21:24:50.897: W/System.err(28746): Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
10-31 21:24:50.897: W/System.err(28746): return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
10-31 21:24:50.927: E/WLDroidGap(28746): Failed downloading application update file.
2
ibm-mobilefirstworklight-server

2 Answers

2
votes

Yes, the use of direct update and the SSL handshake errors are related. Android doesn't allow you to work with self-signed certificates (unless you somehow bypass SSL). Because you can't install a self-signed cert into Android's truststore, the Android client can't establish trust for the server's self signed certificate.

You probably have the following flag specified in your Android manifest file:

android:debuggable="true"

This flag disables SSL validation when going thru the hybrid channels and probably the reason why you don't see the SSL errors earlier. Direct update is handled at a different level, where this flag does not apply, and therefore SSL validation does occur.

You should use self-signed CA certificates instead for dev/test purposes. See the following answer on how to generate a self-signed CA: https://stackoverflow.com/a/19841469/2494287

1
votes

Direct update will not work with a self-signed certificate. It is intended to be used in production, therefore it will only accept a valid CA cert.