0

I need connect to my server API with TLS_v1, server certificate signed by CA that not include in older version of android so i use this Google's document to implement custom TrustManager. Everything work on API 18 and above, but throw SSLHandshakeException in JELLY_BEAN(API 17):

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I have another server URL and certificate (in this case self-signed) that works even in JELLY_BEAN with same TrustManager implementation !!

I'm using OkHttp 2.4 for HTTPS client. I'm confusing what's goes wrong ?

Updated: this is result of SSLLabs :

intermediate and root TurkTrust CA (shown in above) was added to my TrustManager.

Mojtaba Asgari
  • 1,242
  • 1
  • 13
  • 24

1 Answers1

1

A possible explanation is that the server requires Server Name Indication (SNI) to send the proper certificate back and sends only some default certificate if SNI is not used. Thus the client would not get the expected certificate and the validation would fail.

According to the documentation OkHTTP should support SNI, but a recent report indicates otherwise. In the Changelog I cannot see when it was added. It might also be that support depends on the underlying libraries.

EDIT: based on the report from SSLLabs which was added to the question it is now clear that the problem is a missing intermediate certificate at the server. This is shown in the report by 

Chain Issues: Incomplete, Extra Download, ....

In this case it will not help if the client has explicitly added the root CA (Türktrust Elektronik Sertifika...), because due to the missing intermediate CA (Türktrust SSL Sertifikasi Hizmitleri) no trust chain can be build from the leaf certificate of the site to the root certificate. From the report can also be seen that the server not only fails to include the chain certificate but that the server also adds some certificate which does not belong to the chain at all. Thus my guess is that there was an attempt to include a chain certificate but the wrong one was used and apart from that at the wrong place (after the root instead of after the lead certificate).

While some desktop browsers work around such problem most mobile browsers will not work around this server side misconfiguration and also the SSL apis for python, PHP, Java,... will also fail. Therefore this is a problem which need to be fixed at the server.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • API url is connect to exactly one ip, so i think SNI is not my case. – Mojtaba Asgari Apr 25 '16 at 14:43
  • 1
    @MojtabaAsg: have you checked with [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html)? They show if any problems are to expect with a variety of TLS clients. Typical causes for problems are also missing chain certificates, shown by SSLLabs as "chain issues" and "extra download". These are just guesses: for more help you better present the URL in question. – Steffen Ullrich Apr 25 '16 at 14:53
  • I can't share api url but answer updated with filtered result. – Mojtaba Asgari Apr 25 '16 at 15:14
  • 1
    @MojtabaAsg: the shared information help. Answer updated. – Steffen Ullrich Apr 25 '16 at 15:54
  • Vert thanks. I check with server admin as soon as possible . i hope this fix problem but how this case work in above jellybean ? – Mojtaba Asgari Apr 25 '16 at 16:08
  • 1
    @MojtabaAsg: I think this should fix the problem for jellybean too because as far as I can guess from your information the cause is the same. – Steffen Ullrich Apr 25 '16 at 17:02
  • I mean if cause is server side why application work in kitkat,lolipop,marshmallow ? – Mojtaba Asgari Apr 25 '16 at 17:18
  • 1
    @MojtabaAsg: I agree that this is really strange but I cannot tell from the information provided what's really going on there. Maybe it will help if you provide the code of what you actually did (i.e. like what the content of your custom key store really is). – Steffen Ullrich Apr 25 '16 at 17:32
  • you save me :) you are exactly detect problem – Mojtaba Asgari Apr 27 '16 at 07:31