OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
I had the same problem, however I needed my application to work on several staging environments, all of which had self signed certs. To make matters worse, they could change those certs on the fly.
To fix this, when connecting to staging only, I added a SSLSocketFactory which trusted all certs. This fixed the java error, however it left me with the okhttp exception noted in this ticket.
To avoid this error, I needed to add one more customization to my okHttpClient. This fixed the error for me.
okHttpClient.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
I finally got this working with a mix of multiple answers.
First, the certificates was made wrongly, not sure how. But by creating them using the script in this answer made them work. What was needed was a server certificate and a key. Then the client needed another certificate.
To use the certificate in android I converted the .pem file to a .crt file like this:
openssl x509 -outform der -in client.pem -out client.crt
In android I added the certificate to my OkHttp client like the following:
public ApiService() {
mClient = new OkHttpClient();
mClient.setConnectTimeout(TIMEOUT_SECONDS, TimeUnit.SECONDS);
mClient.setReadTimeout(TIMEOUT_SECONDS, TimeUnit.SECONDS);
mClient.setCache(getCache());
mClient.setSslSocketFactory(getSSL());
}
protected SSLSocketFactory getSSL() {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream cert = getAppContext().getResources().openRawResource(R.raw.client);
Certificate ca = cf.generateCertificate(cert);
cert.close();
// creating a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
return new AdditionalKeyStore(keyStore);
} catch(Exception e) {
e.printStackTrace();
}
return null;
}
The last part with new AdditionalKeyStore()
is taken from this very well written answer. Which adds a fallback keystore.
I hope this might help anyone else! This is the simplest way to get HTTPS working with a self-signed certificate that I have found. Other ways include having a BouncyCastle keystore which seems excessive to me.
This issue is solved by setting setHostNameVerifier
to okHttpBuilder
. Make sure verify method should return true.
Sample:
okHttpClient.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
OkHttpClient.Builder builder = new OkHttpClient.Builder();
builder.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
OkHttpClient client = builder.build();