More on Android and Revoked SSL Certificates

As a follow-up to yesterday’s post on how Android handles revoked SSL certificates:

  • It looks like the server I was testing has different behavior for different user agents, and HttpURLConnection and OkHttp also do not validate whether the SSL certificate was revoked.

  • Nikolay Elenkov, in addition to pointing out the above, has some useful comments regarding SSL certificate revocation in general in comments on my G+ post pointing to my blog post

  • Dave Bleicher, in those same G+ comments, confirmed that HttpClient does not pay attention to whether the SSL certificate is revoked.

  • StackOverflow user “sergio91pt” points out that the conscrypt OpenSSL-based TrustManager used on current versions of Android specifically disables “CRL checking”, where CRL is “certificate revocation list”.

  • StackOverflow user “Stephen C” points out that stock Java also has certificate revocation checking disabled by default.

Many thanks to all who contributed here!

The upshot that unless you want to do your own CRL work — as Firefox presumably has done — your Android apps will be oblivious to revoked SSL certificates. This is unfortunate though not surprising. However, it would have been nice if this behavior were documented somewhere, other than in random blog posts like this one.

Learn second-generation Android app development — with Kotlin and the Android Jetpack — through CommonsWare’s Android app development training!