I’m trying to make a connection to an LDAP server in my Android app, and am using the UnboundID SDK. Recently, a change was made from unsecured to secured LDAP, and I have to change the app accordingly. I have been given the SSL certificates file to validate against. I’ve already used the file to make a keystore as described here. I’ve got this keystore file in the assets folder of my app, and am pulling from that. The code below does not currently work, and throws the exception:
LDAPException(resultCode=01 (connect error), errorMessage=(‘An error occurred while attempting to connect to server place.myserver.com:636: javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
// code from above link
AssetManager assetManager = getApplicationContext().getAssets();
InputStream keyStoreInputStream = assetManager.open("yourapp.store");
KeyStore trustStore = KeyStore.getInstance("BKS");
trustStore.load(keyStoreInputStream, "myPassword".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
// my code
SSLUtil sslUtil = new SSLUtil(tmf.getTrustManagers());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);
However, the code segment:
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);
does work (although I was informed by the higher-ups that this would be insecure).
I’m not quite sure as to what exactly I’m doing wrong here, so any help would be appreciated. Also, if there is a better way of accomplishing this than what I’m attempting to do above, feel free to let me know 🙂 I would like to stick with the UnboundID library though, since the rest of the code is already written using that as well, and everything works if I use the TrustAllTrustManager.
It’s true that the trust all trust manager isn’t secure. It’s convenient for testing purposes, but it will allow a bad guy to set up his own server with a certificate he generates for himself and use it to impersonate the real server, or to operate as a man in the middle, intercepting and potentially alerting any communication between the client and the real server. With a more strict trust manager in place, the client should reject the bogus certificate that the fake server will present.
Unfortunately, though, it looks like the trust manager you’re trying to use in this case doesn’t like the certificate that your server is presenting to it. Because the trust all trust manager allows you to establish the connection, that means that your server does have a certificate and is capable of performing SSL communication, but there’s something about that certificate that your trust manager doesn’t like. It’s almost certainly not an issue with the LDAP SDK, since the same problem should arise with any other LDAP API if you’re using the same trust store.
If you look at the result, it has a message of “Trust anchor for certification path not found”. This implies that neither the certificate the server is using nor those of any of its issuers was found in the trust store. You’ll need to import the server certificate (or the certificate of one of its issuers) into the trust store that you’re using. It sounds like you’ve tried to do that, but since it’s not working then something must not be quite right with the way it was done. I’d recommend working wit the directory server administrator to ensure that you’re trying to import the right certificate based on the server configuration.