Improvements in SSL certifcates checking: URL is checked with the hostname in the certificate and all the problems are shown in the same dialog

res/layout/ssl_validator_layout.xml

@@ -63,18 +63,18 @@
 		 />
 		
 	<TextView
-		android:id="@+id/reason_hostname_not_vertified"
+		android:id="@+id/reason_hostname_not_verified"
 		android:layout_width="wrap_content"
 		android:layout_height="wrap_content"
 		android:layout_gravity="left"
 		android:paddingLeft="20dp"
-		android:text="@string/ssl_validator_reason_hostname_not_vertified"
+		android:text="@string/ssl_validator_reason_hostname_not_verified"
 		android:textAppearance="?android:attr/textAppearanceSmall"
 		 />
 	
     
 	<TextView
-        android:id="@+id/issuer"
+        android:id="@+id/subject"
         android:layout_width="wrap_content"
         android:layout_height="wrap_content"
 		android:padding="5dp"

res/values/strings.xml

@@ -189,7 +189,7 @@
     <string name="ssl_validator_reason_cert_not_trusted">- The server certificate is not trusted</string>
     <string name="ssl_validator_reason_cert_expired">- The server certificate expired</string>
     <string name="ssl_validator_reason_cert_not_yet_valid">- The server certificate is too young</string>
-    <string name="ssl_validator_reason_hostname_not_vertified">- The URL does not match the host name in the certificate</string>
+    <string name="ssl_validator_reason_hostname_not_verified">- The URL does not match the hostname in the certificate</string>
     <string name="ssl_validator_question">Do you want to trust this certificate anyway?</string>
     <string name="ssl_validator_not_saved">The certificate could not be saved</string>
     

src/com/owncloud/android/authenticator/ConnectionCheckOperation.java

@@ -24,7 +24,6 @@ import org.json.JSONException;
 import org.json.JSONObject;
 
 import com.owncloud.android.AccountUtils;
-import com.owncloud.android.network.SslAnalyzer;
 import com.owncloud.android.operations.RemoteOperation;
 import com.owncloud.android.operations.RemoteOperationResult;
 import com.owncloud.android.utils.OwnCloudVersion;
@@ -122,7 +121,7 @@ public class ConnectionCheckOperation extends RemoteOperation {
             if (tryConnection(client, "https://" + mUrl + AccountUtils.STATUS_PATH)) {
                 return new RemoteOperationResult(RemoteOperationResult.ResultCode.OK_SSL);
         			
-            } else if (!SslAnalyzer.isRecoverable(mLatestResult)) {
+            } else if (mLatestResult.isSslRecoverableException()) {
                 
                 Log.d(TAG, "establishing secure connection failed, trying non secure connection");
                 client.setBaseUri(Uri.parse("http://" + mUrl + AccountUtils.STATUS_PATH));

src/com/owncloud/android/network/AdvancedSslSocketFactory.java

@@ -24,15 +24,22 @@ import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.net.SocketAddress;
 import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
 
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509TrustManager;
 
 import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.params.HttpConnectionParams;
 import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
-import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
 import org.apache.http.conn.ssl.X509HostnameVerifier;
 
 import android.util.Log;
@@ -49,24 +56,32 @@ public class AdvancedSslSocketFactory implements ProtocolSocketFactory {
     private static final String TAG = AdvancedSslSocketFactory.class.getSimpleName();
     
     private SSLContext mSslContext = null;
-    private X509HostnameVerifier mHostnameVerifier;
+    private AdvancedX509TrustManager mTrustManager = null;
+    private X509HostnameVerifier mHostnameVerifier = null;
 
+    public SSLContext getSslContext() {
+        return mSslContext;
+    }
+    
     /**
      * Constructor for AdvancedSSLProtocolSocketFactory.
      */
-    public AdvancedSslSocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier) {
+    public AdvancedSslSocketFactory(SSLContext sslContext, AdvancedX509TrustManager trustManager, X509HostnameVerifier hostnameVerifier) {
         if (sslContext == null)
             throw new IllegalArgumentException("AdvancedSslSocketFactory can not be created with a null SSLContext");
+        if (trustManager == null)
+            throw new IllegalArgumentException("AdvancedSslSocketFactory can not be created with a null Trust Manager");
         mSslContext = sslContext;
+        mTrustManager = trustManager;
         mHostnameVerifier = hostnameVerifier;
     }
 
     /**
-     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
+     * @see ProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int)
      */
     public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
         Socket socket = mSslContext.getSocketFactory().createSocket(host, port, clientHost, clientPort);
-        verifyHostname(host, socket);
+        verifyPeerIdentity(host, port, socket);
         return socket;
     }
 
@@ -94,7 +109,7 @@ public class AdvancedSslSocketFactory implements ProtocolSocketFactory {
         Log.d(TAG, "Creating SSL Socket with remote " + host + ":" + port + ", local " + localAddress + ":" + localPort + ", params: " + params);
         if (params == null) {
             throw new IllegalArgumentException("Parameters may not be null");
-        }
+        } 
         int timeout = params.getConnectionTimeout();
         SocketFactory socketfactory = mSslContext.getSocketFactory();
         Log.d(TAG, " ... with connection timeout " + timeout + " and socket timeout " + params.getSoTimeout());
@@ -104,31 +119,21 @@ public class AdvancedSslSocketFactory implements ProtocolSocketFactory {
         socket.setSoTimeout(params.getSoTimeout());
         socket.bind(localaddr);
         socket.connect(remoteaddr, timeout);
-        verifyHostname(host, socket);
+        verifyPeerIdentity(host, port, socket);
         return socket;
     }
 
     /**
-     * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int)
+     * @see ProtocolSocketFactory#createSocket(java.lang.String,int)
      */
     public Socket createSocket(String host, int port) throws IOException,
             UnknownHostException {
         Log.d(TAG, "Creating SSL Socket with remote " + host + ":" + port);
         Socket socket = mSslContext.getSocketFactory().createSocket(host, port);
-        verifyHostname(host, socket);
+        verifyPeerIdentity(host, port, socket);
         return socket; 
     }
 
-    /**
-     * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean)
-     */
-    /*public Socket createSocket(Socket socket, String host, int port,
-            boolean autoClose) throws IOException, UnknownHostException {
-        Log.d(TAG, "Creating SSL Socket from other shocket " + socket + " to remote " + host + ":" + port);
-        return getSSLContext().getSocketFactory().createSocket(socket, host,
-                port, autoClose);
-    }*/
-
     public boolean equals(Object obj) {
         return ((obj != null) && obj.getClass().equals(
                 AdvancedSslSocketFactory.class));
@@ -149,20 +154,103 @@ public class AdvancedSslSocketFactory implements ProtocolSocketFactory {
     }
     
     /**
-     * Verifies the host name with the content of the server certificate using the current host name verifier, if some
+     * Verifies the identity of the server. 
+     * 
+     * The server certificate is verified first.
+     * 
+     * Then, the host name is compared with the content of the server certificate using the current host name verifier, if any.
      * @param socket
      */
-    private void verifyHostname(String host, Socket socket) throws IOException {
-        if (mHostnameVerifier != null) {
+    private void verifyPeerIdentity(String host, int port, Socket socket) throws IOException {
+        try {
+            IOException failInHandshake = null;
+            /// 1. VERIFY THE SERVER CERTIFICATE through the registered TrustManager (that should be an instance of AdvancedX509TrustManager) 
             try {
-                mHostnameVerifier.verify(host, (SSLSocket) socket);
-            } catch (IOException iox) {
-                try {
-                    socket.close();
-                } catch (Exception x) {}
-                throw iox;
+                SSLSocket sock = (SSLSocket) socket;    // a new SSLSession instance is created as a "side effect" 
+                sock.startHandshake();
+            } catch (IOException e) {
+                failInHandshake = e;
+                if (!(e.getCause() instanceof CertificateCombinedException)) {
+                    throw e;
+                }
             }
+            
+            /// 2. VERIFY HOSTNAME
+            SSLSession newSession = null;
+            boolean verifiedHostname = true;
+            if (mHostnameVerifier != null) {
+                if (failInHandshake != null) {
+                    /// 2.1 : a new SSLSession instance was NOT created in the handshake
+                    X509Certificate serverCert = ((CertificateCombinedException)failInHandshake.getCause()).getServerCertificate();
+                    try {
+                        mHostnameVerifier.verify(host, serverCert);
+                    } catch (SSLException e) {
+                        verifiedHostname = false;
+                    }
+                
+                } else {
+                    /// 2.2 : a new SSLSession instance was created in the handshake
+                    if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.HONEYCOMB) {
+                        /// this is sure ONLY for Android >= 3.0 ; the same is true for mHostnameVerifier.verify(host, (SSLSocket)socket)
+                        newSession = ((SSLSocket)socket).getSession();
+                        if (!mTrustManager.isKnownServer((X509Certificate)(newSession.getPeerCertificates()[0])))
+                            verifiedHostname = mHostnameVerifier.verify(host, newSession); 
+                    
+                    } else {
+                        //// performing the previous verification in Android versions under 2.3.x  (and we don't know the exact value of x) WILL BREAK THE SSL CONTEXT, and any HTTP operation executed later through the socket WILL FAIL ; 
+                        //// it is related with A BUG IN THE OpenSSLSOcketImpl.java IN THE ANDROID CORE SYSTEM; it was fixed here:
+                        ////        http://gitorious.org/ginger/libcore/blobs/df349b3eaf4d1fa0643ab722173bc3bf20a266f5/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
+                        ///  but we could not find out in what Android version was released the bug fix;
+                        ///
+                        /// besides, due to the bug, calling ((SSLSocket)socket).getSession() IS NOT SAFE ; the next workaround is an UGLY BUT SAFE solution to get it
+                        SSLSessionContext sessionContext = mSslContext.getClientSessionContext();
+                        if (sessionContext  != null) {
+                            SSLSession session = null;
+                            synchronized(sessionContext) {  // a SSLSession in the SSLSessionContext can be closed while we are searching for the new one; it happens; really
+                                Enumeration<byte[]> ids = sessionContext.getIds();
+                                while (ids.hasMoreElements()) {
+                                    session = sessionContext.getSession(ids.nextElement());
+                                    if (    session.getPeerHost().equals(host) && 
+                                            session.getPeerPort() == port && 
+                                            (newSession == null || newSession.getCreationTime() < session.getCreationTime())) {
+                                        newSession = session;
+                                    }
+                               }
+                            }
+                            if (newSession != null) {
+                                if (!mTrustManager.isKnownServer((X509Certificate)(newSession.getPeerCertificates()[0]))) {
+                                    verifiedHostname = mHostnameVerifier.verify(host, newSession);
+                                }
+                            } else {
+                                Log.d(TAG, "Hostname verification could not be performed because the new SSLSession was not found");
+                            }
+                        }
+                    }
+                }
+            }
+
+            /// 3. Combine the exceptions to throw, if any
+            if (failInHandshake != null) {
+                if (!verifiedHostname) {
+                    ((CertificateCombinedException)failInHandshake.getCause()).setSslPeerUnverifiedException(new SSLPeerUnverifiedException(host));
+                }
+                throw failInHandshake;
+            } else if (!verifiedHostname) {
+                CertificateCombinedException ce = new CertificateCombinedException((X509Certificate) newSession.getPeerCertificates()[0]);
+                SSLPeerUnverifiedException pue = new SSLPeerUnverifiedException(host);
+                ce.setSslPeerUnverifiedException(pue);
+                pue.initCause(ce);
+                throw pue;
+            }
+            
+        } catch (IOException io) {        
+            try {
+                socket.close();
+            } catch (Exception x) {
+                // NOTHING - irrelevant exception for the caller 
+            }
+            throw io;
         }
     }
-    
-}
+
+}

src/com/owncloud/android/network/AdvancedX509TrustManager.java

@@ -21,8 +21,11 @@ package com.owncloud.android.network;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 
 import javax.net.ssl.TrustManager;
@@ -91,8 +94,35 @@ public class AdvancedX509TrustManager implements X509TrustManager {
      */
     public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
         if (!isKnownServer(certificates[0])) {
-            Log.d(TAG, "checkClientTrusted() with standard trust manager...");
-            mStandardTrustManager.checkClientTrusted(certificates, authType);
+        	CertificateCombinedException result = new CertificateCombinedException(certificates[0]);
+        	try {
+        		certificates[0].checkValidity();
+        	} catch (CertificateExpiredException c) {
+        		result.setCertificateExpiredException(c);
+        		
+        	} catch (CertificateNotYetValidException c) {
+                result.setCertificateNotYetException(c);
+        	}
+        	
+        	try {
+        	    mStandardTrustManager.checkServerTrusted(certificates, authType);
+        	} catch (CertificateException c) {
+                Throwable cause = c.getCause();
+                Throwable previousCause = null;
+                while (cause != null && cause != previousCause && !(cause instanceof CertPathValidatorException)) {     // getCause() is not funny
+                    previousCause = cause;
+                    cause = cause.getCause();
+                }
+                if (cause != null && cause instanceof CertPathValidatorException) {
+                	result.setCertPathValidatorException((CertPathValidatorException)cause);
+                } else {
+                	result.setOtherCertificateException(c);
+                }
+        	}
+        	
+        	if (result.isException())
+        		throw result;
+
         }
     }
     
@@ -105,7 +135,7 @@ public class AdvancedX509TrustManager implements X509TrustManager {
     }
 
     
-    private boolean isKnownServer(X509Certificate cert) {
+    public boolean isKnownServer(X509Certificate cert) {
         try {
             return (mKnownServersKeyStore.getCertificateAlias(cert) != null);
         } catch (KeyStoreException e) {

src/com/owncloud/android/network/CertificateCombinedException.java

@@ -0,0 +1,81 @@
+package com.owncloud.android.network;
+
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLPeerUnverifiedException;
+
+public class CertificateCombinedException extends CertificateException {
+
+    private X509Certificate mServerCert = null;
+    private CertificateExpiredException mCertificateExpiredException = null;
+    private CertificateNotYetValidException mCertificateNotYetValidException = null;
+    private CertPathValidatorException mCertPathValidatorException = null;
+    private CertificateException mOtherCertificateException = null;
+    private SSLPeerUnverifiedException mSslPeerUnverifiedException = null;
+    
+    public CertificateCombinedException(X509Certificate x509Certificate) {
+        mServerCert = x509Certificate;
+    }
+
+    public X509Certificate getServerCertificate() {
+        return mServerCert;
+    }
+
+    public CertificateExpiredException getCertificateExpiredException() {
+        return mCertificateExpiredException;
+    }
+
+    public void setCertificateExpiredException(CertificateExpiredException c) {
+        mCertificateExpiredException  = c;
+    }
+
+    public CertificateNotYetValidException getCertificateNotYetValidException() {
+        return mCertificateNotYetValidException;
+    }
+
+    public void setCertificateNotYetException(CertificateNotYetValidException c) {
+        mCertificateNotYetValidException = c;
+    }
+
+    public CertPathValidatorException getCertPathValidatorException() {
+        return mCertPathValidatorException;
+    }
+
+    public void setCertPathValidatorException(CertPathValidatorException c) {
+        mCertPathValidatorException = c;
+    }
+
+    public CertificateException getOtherCertificateException() {
+        return mOtherCertificateException;
+    }
+
+    public void setOtherCertificateException(CertificateException c) {
+        mOtherCertificateException = c;
+    }
+
+    public SSLPeerUnverifiedException getSslPeerUnverifiedException() {
+        return mSslPeerUnverifiedException ; 
+    }
+
+    public void setSslPeerUnverifiedException(SSLPeerUnverifiedException s) {
+        mSslPeerUnverifiedException = s;
+    }
+
+    public boolean isException() {
+        return (mCertificateExpiredException != null ||
+                mCertificateNotYetValidException != null ||
+                mCertPathValidatorException != null ||
+                mOtherCertificateException != null);
+    }
+
+    public boolean isRecoverable() {
+        return (mCertificateExpiredException != null ||
+                mCertificateNotYetValidException != null ||
+                mCertPathValidatorException != null);
+    }
+
+}

src/com/owncloud/android/network/OwnCloudClientUtils.java

@@ -34,6 +34,8 @@ import javax.net.ssl.TrustManager;
 
 import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
 import org.apache.commons.httpclient.protocol.Protocol;
+import org.apache.http.conn.ssl.BrowserCompatHostnameVerifier;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
 
 import com.owncloud.android.AccountUtils;
 import com.owncloud.android.authenticator.AccountAuthenticator;
@@ -63,6 +65,8 @@ public class OwnCloudClientUtils {
     private static Protocol mDefaultHttpsProtocol = null;
 
     private static AdvancedSslSocketFactory mAdvancedSslSocketFactory = null;
+
+    private static X509HostnameVerifier mHostnameVerifier = null;
     
     
     /**
@@ -191,7 +195,7 @@ public class OwnCloudClientUtils {
         }
     }
     
-    private static AdvancedSslSocketFactory getAdvancedSslSocketFactory(Context context) throws GeneralSecurityException, IOException {
+    public static AdvancedSslSocketFactory getAdvancedSslSocketFactory(Context context) throws GeneralSecurityException, IOException {
         if (mAdvancedSslSocketFactory  == null) {
             KeyStore trustStore = getKnownServersStore(context);
             AdvancedX509TrustManager trustMgr = new AdvancedX509TrustManager(trustStore);
@@ -200,17 +204,8 @@ public class OwnCloudClientUtils {
             SSLContext sslContext = SSLContext.getInstance("TLS");
             sslContext.init(null, tms, null);
                     
-            /*} catch (KeyStoreException e) {
-                e.printStackTrace();
-                    
-            } catch (NoSuchAlgorithmException e) {
-                e.printStackTrace();
-                    
-            } catch (KeyManagementException e) {
-                e.printStackTrace();
-                    
-            }*/
-            mAdvancedSslSocketFactory = new AdvancedSslSocketFactory(sslContext, null);    // TODO HOST NAME VERIFIER
+            mHostnameVerifier = new BrowserCompatHostnameVerifier();
+            mAdvancedSslSocketFactory = new AdvancedSslSocketFactory(sslContext, trustMgr, mHostnameVerifier);
         }
         return mAdvancedSslSocketFactory;
     }

src/com/owncloud/android/network/SslAnalyzer.java

@@ -1,83 +0,0 @@
-/* ownCloud Android client application
- *   Copyright (C) 2011  Bartek Przybylski
- *
- *   This program is free software: you can redistribute it and/or modify
- *   it under the terms of the GNU General Public License as published by
- *   the Free Software Foundation, either version 3 of the License, or
- *   (at your option) any later version.
- *
- *   This program is distributed in the hope that it will be useful,
- *   but WITHOUT ANY WARRANTY; without even the implied warranty of
- *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *   GNU General Public License for more details.
- *
- *   You should have received a copy of the GNU General Public License
- *   along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-package com.owncloud.android.network;
-
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLPeerUnverifiedException;
-
-import com.owncloud.android.operations.RemoteOperationResult;
-
-/**
- * Helper class to check if a SSL error is related to a condition that could be avoided with assistance from the user.
- * 
- * @author David A. Velasco
- */
-public class SslAnalyzer {
-    
-    /**
-     * Search for a SSL-related exception in a remote operation result that can be recoverable
-     * by allowing the user to state the reliability of the certificate from the server. 
-     * 
-     * @param result        Result of a remote operation.
-     * @return              An exception instance that caused the failure of the remote operation and that can be avoided if the user
-     *                      states the certificate from the server as reliable; or NULL if the result is that's not possible
-     */
-    public static Exception getRecoverableException(RemoteOperationResult result) {
-        Exception ret = null;
-        SSLException e = null;
-        Throwable cause = null;
-        if (result.getException() instanceof SSLException) {
-            e = (SSLException)result.getException();
-            if (e instanceof SSLPeerUnverifiedException) {
-                ret = e;
-                
-            } else { 
-                cause = e.getCause();
-                Throwable previousCause = null;
-                boolean recoverableCertException = false;
-                while (cause != null && cause != previousCause && !recoverableCertException) {     // getCause() is not funny
-                    recoverableCertException = (  cause instanceof CertPathValidatorException ||
-                                                cause instanceof CertificateExpiredException ||
-                                                cause instanceof CertificateNotYetValidException );
-                    if (recoverableCertException)
-                        ret = (Exception)cause;
-                    previousCause = cause;
-                    cause = cause.getCause();
-                }
-            }
-        }
-        return ret;
-    }
-    
-    
-    /**
-     * Checks if a remote operation result can be recoverable
-     * by allowing the user to state the reliability of the certificate from the server. 
-     * 
-     * @param result        Result of a remote operation.
-     * @return              An exception instance that caused the failure of the remote operation and that can be avoided if the user
-     *                      states the certificate from the server as reliable; or NULL if the result is that's not possible
-     */
-    public static boolean isRecoverable(RemoteOperationResult result) {
-        return (getRecoverableException(result) != null);
-    }
-
-}

src/com/owncloud/android/operations/RemoteOperationResult.java

@@ -10,6 +10,10 @@ import javax.net.ssl.SSLException;
 import org.apache.commons.httpclient.ConnectTimeoutException;
 import org.apache.commons.httpclient.HttpStatus;
 
+import android.util.Log;
+
+import com.owncloud.android.network.CertificateCombinedException;
+
 
 public class RemoteOperationResult {
     
@@ -29,6 +33,8 @@ public class RemoteOperationResult {
         SSL_ERROR,
         BAD_OC_VERSION, 
     }
+
+    private static final String TAG = null;
     
     private boolean mSuccess = false;
     private int mHttpCode = -1;
@@ -66,30 +72,31 @@ public class RemoteOperationResult {
         
         if (e instanceof SocketException) {  
             mCode = ResultCode.WRONG_CONNECTION;
-            //Log.e(TAG, "Socket exception while trying connection", e);
+            Log.e(TAG, "Socket exception", e);
         
         } else if (e instanceof SocketTimeoutException) {
             mCode = ResultCode.TIMEOUT;
-            //Log.e(TAG, "Socket timeout exception while trying connection", e);
+            Log.e(TAG, "Socket timeout exception", e);
         
         } else if (e instanceof ConnectTimeoutException) {
             mCode = ResultCode.TIMEOUT;
-            //Log.e(TAG, "Socket timeout exception while trying connection", e);
+            Log.e(TAG, "Connect timeout exception", e);
             
         } else if (e instanceof MalformedURLException) {
             mCode = ResultCode.INCORRECT_ADDRESS;
-            //Log.e(TAG, "Connect exception while trying connection", e);
+            Log.e(TAG, "Malformed URL exception", e);
         
         } else if (e instanceof UnknownHostException) {
             mCode = ResultCode.HOST_NOT_AVAILABLE;
-            //Log.e(TAG, "Unknown host exception while trying connection", e);
+            Log.e(TAG, "Unknown host exception", e);
         
         } else if (e instanceof SSLException) {
             mCode = ResultCode.SSL_ERROR;
-            //Log.e(TAG, "SSL exception while trying connection", e);
+            Log.e(TAG, "SSL exception", e);
             
         } else {
             mCode = ResultCode.UNKNOWN_ERROR;
+            Log.e(TAG, "Unknown exception", e);
         }
             
         /*  }   catch (HttpException e) { // other specific exceptions from org.apache.commons.httpclient
@@ -118,4 +125,28 @@ public class RemoteOperationResult {
         return mException;
     }
 
+    public boolean isSslRecoverableException() {
+        return (getSslRecoverableException() != null);
+    }
+    
+    public CertificateCombinedException getSslRecoverableException() {
+        CertificateCombinedException result = null;
+        if (mCode == ResultCode.SSL_ERROR) {
+            if (mException instanceof CertificateCombinedException)
+                result = (CertificateCombinedException)mException;
+            Throwable cause = mException.getCause();
+            Throwable previousCause = null;
+            while (cause != null && cause != previousCause && !(cause instanceof CertificateCombinedException)) {
+                previousCause = cause;
+                cause = cause.getCause();
+            }
+            if (cause != null && cause instanceof CertificateCombinedException)
+                result = (CertificateCombinedException)cause; 
+        }
+        if (result != null && result.isRecoverable())
+            return result;
+        else
+            return null;
+    }
+
 }

src/com/owncloud/android/ui/activity/AuthenticatorActivity.java

@@ -160,10 +160,7 @@ public class AuthenticatorActivity extends AccountAuthenticatorActivity
             break;
         }
         case DIALOG_SSL_VALIDATOR: {
-            SslValidatorDialog sslValidator = SslValidatorDialog.newInstance(this, mLastSslFailedResult, this);
-            if (sslValidator != null)
-                dialog = sslValidator;
-            // else, mLastSslFailedResult is not an SSL fail recoverable by accepting the server certificate as reliable; dialog will still be null
+            dialog = SslValidatorDialog.newInstance(this, mLastSslFailedResult, this);
             break;
         }
         case DIALOG_CERT_NOT_SAVED: {
@@ -540,11 +537,8 @@ public class AuthenticatorActivity extends AccountAuthenticatorActivity
                 mStatusText = R.string.auth_ssl_general_error_title;
                 //mStatusText = R.string.auth_ssl_unverified_server_title;
                 mLastSslFailedResult = result;
-                showDialog(DIALOG_SSL_VALIDATOR);   // see onCreateDialog(); it does not always show the dialog
-	            /*if (InteractiveSslValidatorActivity.isRecoverable(result)) {
-	                Intent intent = new Intent(this, InteractiveSslValidatorActivity.class);
-	                startActivityForResult(intent, REQUEST_FOR_SSL_CERT);
-	            }*/
+                if (mLastSslFailedResult.isSslRecoverableException())
+                    showDialog(DIALOG_SSL_VALIDATOR); 
 	            break;
 	            
 	        case HOST_NOT_AVAILABLE:

src/com/owncloud/android/ui/dialog/SslValidatorDialog.java

@@ -20,16 +20,8 @@ package com.owncloud.android.ui.dialog;
 import java.io.IOException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
-import java.util.List;
-
-import javax.net.ssl.SSLPeerUnverifiedException;
 
 import android.app.Dialog;
 import android.content.Context;
@@ -40,8 +32,8 @@ import android.view.Window;
 import android.widget.TextView;
 
 import com.owncloud.android.R;
+import com.owncloud.android.network.CertificateCombinedException;
 import com.owncloud.android.network.OwnCloudClientUtils;
-import com.owncloud.android.network.SslAnalyzer;
 import com.owncloud.android.operations.RemoteOperationResult;
 
 /**
@@ -54,7 +46,7 @@ public class SslValidatorDialog extends Dialog {
     private final static String TAG = SslValidatorDialog.class.getSimpleName();
 
     private OnSslValidatorListener mListener;
-    private Exception mException = null;
+    private CertificateCombinedException mException = null;
     private View mView;
     
     
@@ -69,7 +61,7 @@ public class SslValidatorDialog extends Dialog {
      *                      by setting the certificate as reliable.
      */
     public static SslValidatorDialog newInstance(Context context, RemoteOperationResult result, OnSslValidatorListener listener) {
-        if (SslAnalyzer.isRecoverable(result)) {
+        if (result.isSslRecoverableException()) {
             SslValidatorDialog dialog = new SslValidatorDialog(context, listener);
             return dialog;
         } else {
@@ -100,7 +92,6 @@ public class SslValidatorDialog extends Dialog {
         requestWindowFeature(Window.FEATURE_NO_TITLE);
         mView = getLayoutInflater().inflate(R.layout.ssl_validator_layout, null);
         setContentView(mView); 
-        //setTitle(R.string.ssl_validator_title);
         
         mView.findViewById(R.id.ok).setOnClickListener( 
                 new View.OnClickListener() {
@@ -134,52 +125,50 @@ public class SslValidatorDialog extends Dialog {
     
     
     public void updateResult(RemoteOperationResult result) {
-        mException = SslAnalyzer.getRecoverableException(result);
-        if (mException instanceof CertPathValidatorException ) {
-            showCertificateData(((CertPathValidatorException)mException).getCertPath());
-            ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.VISIBLE);
+        mException = result.getSslRecoverableException();
+        if (mException != null) {
+            // "clean" view
+            ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.GONE);
             ((TextView)mView.findViewById(R.id.reason_cert_expired)).setVisibility(View.GONE);
             ((TextView)mView.findViewById(R.id.reason_cert_not_yet_valid)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_hostname_not_vertified)).setVisibility(View.GONE);
+            ((TextView)mView.findViewById(R.id.reason_hostname_not_verified)).setVisibility(View.GONE);
+            ((TextView)mView.findViewById(R.id.subject)).setVisibility(View.GONE);
+
+            if (mException.getCertPathValidatorException() != null) {
+                ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.VISIBLE);
+            }
             
-        } else if (mException instanceof CertificateExpiredException ) {
-            ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_cert_expired)).setVisibility(View.VISIBLE);
-            ((TextView)mView.findViewById(R.id.reason_cert_not_yet_valid)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_hostname_not_vertified)).setVisibility(View.GONE);
+            if (mException.getCertificateExpiredException() != null) {
+                ((TextView)mView.findViewById(R.id.reason_cert_expired)).setVisibility(View.VISIBLE);
+            }
             
-        } else if (mException instanceof CertificateNotYetValidException ) {
-            ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_cert_expired)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_cert_not_yet_valid)).setVisibility(View.VISIBLE);
-            ((TextView)mView.findViewById(R.id.reason_hostname_not_vertified)).setVisibility(View.GONE);
+            if (mException.getCertificateNotYetValidException() != null) {
+                ((TextView)mView.findViewById(R.id.reason_cert_not_yet_valid)).setVisibility(View.VISIBLE);
+            } 
+
+            if (mException.getSslPeerUnverifiedException() != null ) {
+                ((TextView)mView.findViewById(R.id.reason_hostname_not_verified)).setVisibility(View.VISIBLE);
+            }
             
-        } else if (mException instanceof SSLPeerUnverifiedException ) {
-            ((TextView)mView.findViewById(R.id.reason_cert_not_trusted)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_cert_expired)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_cert_not_yet_valid)).setVisibility(View.GONE);
-            ((TextView)mView.findViewById(R.id.reason_hostname_not_vertified)).setVisibility(View.VISIBLE);
+            
+            showCertificateData(mException.getServerCertificate());
         }
         
     }
     
-    private void showCertificateData(CertPath certPath) {
-        final List<? extends Certificate> certs = certPath.getCertificates();
-        /*X509Certificate badCert = null;
-        if (e.getIndex() >= 0 && e.getIndex() < certs.size()) 
-            badCert = (X509Certificate) certs.get(e.getIndex());*/
-        if (certs.size() > 0) {
-            X509Certificate serverCert = (X509Certificate) certs.get(0);
-            String text = serverCert.getSubjectDN().getName();
+    private void showCertificateData(X509Certificate cert) {
+        TextView subject = (TextView)mView.findViewById(R.id.subject);
+        if (cert != null) {
+            String text = cert.getSubjectDN().getName();
             text = text.substring(text.indexOf(",") + 1);
-            ((TextView)mView.findViewById(R.id.issuer)).setText(text);
+            subject.setVisibility(View.VISIBLE);
+            subject.setText(text);
         }
     }
 
     private void saveServerCert() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
-        // TODO be able to add certificate for any recoverable exception
-        if (mException instanceof CertPathValidatorException) {
-            OwnCloudClientUtils.addCertToKnownServersStore(((CertPathValidatorException) mException).getCertPath().getCertificates().get(0), getContext());
+        if (mException.getServerCertificate() != null) {
+            OwnCloudClientUtils.addCertToKnownServersStore(mException.getServerCertificate(), getContext());
         }
     }