{"id":7728,"date":"2015-10-19T01:11:55","date_gmt":"2015-10-19T01:11:55","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2015\/10\/19\/does-okhttp-support-accepting-self-signed-ssl-certs-open-source-projects-square-okhttp\/"},"modified":"2015-10-19T01:11:55","modified_gmt":"2015-10-19T01:11:55","slug":"does-okhttp-support-accepting-self-signed-ssl-certs-open-source-projects-square-okhttp","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2015\/10\/19\/does-okhttp-support-accepting-self-signed-ssl-certs-open-source-projects-square-okhttp\/","title":{"rendered":"Does OkHttp support accepting self-signed SSL certs?-open source projects square\/okhttp"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/47b581ac2a5913dda61e1c2ed04a60e5?s=128&amp;d=identicon&amp;r=PG&amp;f=1\" \/> <strong>mailmustdie<\/strong><\/p>\n<p>Yes, It does.<\/p>\n<p>Retrofit allows you to set your custom HTTP client, that is configured to your needs.<\/p>\n<p>As for self signed SSL certs there is a discussion here. The link contains code samples to add self signed SLL to Android&#8217;s <code>DefaultHttpClient<\/code> and to load this client to Retrofit.<\/p>\n<p>If you need <code>OkHttpClient<\/code> to accept self signed SSL, you need to pass it custom <code>javax.net.ssl.SSLSocketFactory<\/code> instance via <code>setSslSocketFactory(SSLSocketFactory sslSocketFactory)<\/code> method.<\/p>\n<p>The easiest method to get a socket factory is to get one from <code>javax.net.ssl.SSLContext<\/code> as discussed here.<\/p>\n<p>Here is a sample for configuring OkHttpClient:<\/p>\n<pre><code>OkHttpClient client = new OkHttpClient();\nKeyStore keyStore = readKeyStore(); \/\/your method to obtain KeyStore\nSSLContext sslContext = SSLContext.getInstance(\"SSL\");\nTrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\ntrustManagerFactory.init(keyStore);\nKeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());\nkeyManagerFactory.init(keyStore, \"keystore_pass\".toCharArray());\nsslContext.init(keyManagerFactory.getKeyManagers(),trustManagerFactory.getTrustManagers(), new SecureRandom());\nclient.setSslSocketFactory(sslContext.getSocketFactory());\n<\/code><\/pre>\n<p>the <code>client<\/code> here is now configured to use certificates from your <code>KeyStore<\/code>. However it will only trust the certificates in your <code>KeyStore<\/code> and will not trust anything else, even if your system trust them by default. (If you have only self signed certs in your <code>KeyStore<\/code> and try to connect to Google main page via HTTPS you will get <code>SSLHandshakeException<\/code>).<\/p>\n<p>You can obtain <code>KeyStore<\/code> instance from file as seen in docs:<\/p>\n<pre><code>KeyStore readKeyStore() {\n    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());\n\n    \/\/ get user password and file input stream\n    char[] password = getPassword();\n\n    java.io.FileInputStream fis = null;\n    try {\n        fis = new java.io.FileInputStream(\"keyStoreName\");\n        ks.load(fis, password);\n    } finally {\n        if (fis != null) {\n            fis.close();\n        }\n    }\n    return ks;\n}\n<\/code><\/pre>\n<p>If you are on android you can put it in <code>res\/raw<\/code> folder and get it from a <code>Context<\/code> instance using<\/p>\n<pre><code>fis = context.getResources().openRawResource(R.raw.your_keystore_filename);\n<\/code><\/pre>\n<p>There are several discussions on how to create your keystore. For example here<\/p>\n","protected":false},"excerpt":{"rendered":"<p>mailmustdie Yes, It does. Retrofit allows you to set your custom HTTP client, that is configured to your needs. As for self signed SSL certs there is a discussion here. The link contains code samples to add self signed SLL to Android&#8217;s DefaultHttpClient and to load this client to Retrofit. If you need OkHttpClient to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7728","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/7728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=7728"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/7728\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=7728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=7728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=7728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}