Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SSLHandshakeException on Android 5 (API 21)

See original GitHub issue

I pushed a new version of my app to production and started to get bunch of complains from users. Turns out with okhttp 4.3.0 there is SSLHandshakeException happening only on Android 5 for some reason. I’m getting this exception for all my requests including requests from 3th party SDKs. It’s reproducible on API 21 Emulator.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
        at com.android.okhttp.Connection.upgradeToTls(Connection.java:197)
        at com.android.okhttp.Connection.connect(Connection.java:151)
        at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276)
        at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211)
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:373)
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:323)
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:491)
        at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105)
        at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25)
...
     Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
        at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:113)
        at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
        at com.android.okhttp.Connection.upgradeToTls(Connection.java:197) 
        at com.android.okhttp.Connection.connect(Connection.java:151) 
        at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276) 
        at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:373) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:323) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:491) 
        at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105) 
        at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25) 
...
     Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318) 
        at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219) 
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:113) 
        at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525) 
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302) 
        at com.android.okhttp.Connection.upgradeToTls(Connection.java:197) 
        at com.android.okhttp.Connection.connect(Connection.java:151) 
        at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276) 
        at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:373) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:323) 
        at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:491) 
        at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105) 
        at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25) 
...

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:23

github_iconTop GitHub Comments

5reactions
yschimkecommented, Jan 5, 2020

@swankjesse heads up another fix for 4.3.1

We lost this code in 4.3, which breaks some hosts on Android 5

      // This is SSLParameters.setServerNames() in API 24+.
      setHostname.invoke(sslSocket, hostname)
2reactions
yschimkecommented, Jul 28, 2021

@vipulasri this certificate chain isn’t supported on Android 21, there is no root CA certificate in the Android TrustManager.

See https://talkatone.zendesk.com/hc/en-us/articles/360044415672-Android-Users-Running-OS-Versions-4-4-4-5-0- https://serverfault.com/questions/792143/why-is-my-ssl-certificate-untrusted-on-android

Please continue any further discussion in a forum like stackoverflow, I’ve mainly been using this as a was to look at reproducing similar issues. But it’s not a bug and not something we actively support.

Read more comments on GitHub >

github_iconTop Results From Across the Web

javax.net.ssl.SSLHandshakeException: Handshake failed ...
javax.net.ssl.SSLHandshakeException: Handshake failed on Android 5.0.0 when SSLv2 and SSlv3 are disabled (TLS only) (and greater).
Read more >
SSLHandshakeException
Summary. Public constructors; Inherited methods. Public constructors. SSLHandshakeException. Added in API level 1. Summary: Ctors | Inherited Methods ...
Read more >
How to Fix SSL Connection Errors on Android Phones
Here's how to remedy an Android error that prevents SSL connections online: a step-by-step guide on how to fix SSL connection errors on...
Read more >
How to Fix issue of SSL Handshake Exception on Android
Recently I was working on a chat application for the android platform ... was without SSL (that is the HTTP scheme - http://api.example.com)....
Read more >
FAQ: How do I enable TLS 1.2 for ArcGIS Runtime SDK for ...
Esri Support v5.5 is now available for download! ... support TLS 1.2 on devices running Android versions 5.0 and above (API 21 and...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

RealWebSocket send throws writerTask NPE

Next page

okhttp 4.3.0 crash with custom X509TrustManager