self-signed cert brings "stream was reset: PROTOCOL_ERROR"
Closed this issue · 2 comments
I try to connect from Android to some servers with self-signed certificates. Unfortunately my users sometimes create and use their own (self-signed) certs so I don't have the cert in advance. I need to check them myself in a method similar to ServicePointManager.ServerCertificateValidationCallback.
This works well with a standard HttpClient without OkHttp but it's not as fast as it could be.
Then I tried to use OkHttp with a SSLSocketFactory and a custom TrustManager like you described it on https://dotnetdevaddict.co.za/2015/07/31/self-signed-certificates-and-xamarin-android/ but I got:
System.Net.WebException, Message=Hostname code4ward.ddns.net not verified:
certificate: sha1/gKQj9VUg8shM8xPNBzx/QVlKRtk=
DN: CN=RoyalServer
subjectAltNames: [], InnerException=, StackTrace=
I guess it's because the hostname does not match the subject in the certificate. But this is ok in my case.
To get around that error I added a HostnameVerifier. Now the first request calls my TrustManager (which does not raise an Exception) and then it calls my HostnameVerifier (which returns true) but then I get the exception:
System.Net.WebException, Message=stream was reset: PROTOCOL_ERROR, InnerException=, StackTrace=
Do you know how I can get this working? Or at least how to get more info?
I saw some issues regarding this error in https://github.com/square/okhttp/issues/ but nothing which helped in my case.
It seems to be related to the server. If I use Fiddler as a proxy, then it works. I can also connect to https://self-signed.badssl.com/ without problems.
But I can use my server with the standard HttpClient, a browser or Fiddler as proxy, so I don't think that the server behaves wrong.
I made a repro project and published it on https://github.com/MichaelRumpler/OkHttpRepro.
I also saw http://stackoverflow.com/a/25992879/1722408. It's almost the same. They only use a SSLContext for "SSL" instead of "TLSv1.2", but that doesn't work for me either.
BTW, I'm using Square.OkHttp v2.7.5. I saw just now that there is also a Square.OkHttp3. I'll try that next.
It seems to work with OkHttp3 3.5.0.