2

My app is getting a SSLHandshakeException since I updated my app to use a network security config.

The app do requests to two servers. One of them is an develpment server accessible only in my company network. The other one is a public server running an ArcGIS Server. The domain is able to communicate over TLS 1.2.

So, I expect everything to works just adding a rule to my private development server. This is the content of my network security config:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">172.17.1.14</domain>
    </domain-config>
</network-security-config>

Unfortunately, any requests to my public server (using an third party API from server manufactury) are resulting in the following exception:

Caused by: java.security.cert.CertificateException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
        at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:111)
        at com.esri.arcgisruntime.internal.e.a.a.checkServerTrusted(SourceFile:161)
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:212)
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)

Since my public server has a valid certificate and in TLS 1.2 aware, it would not happen, right?

The following network security config works fine, but it is insecure:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config xmlns:android="http://schemas.android.com/apk/res/android">
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

In addiction, I read that Facebook's Audience Network Android SDK also experienced issues with the network security configuration because they cache files at localhost. I've tried the same solution proposed by them but it also didn't work: https://developers.facebook.com/docs/audience-network/android-network-security-config/

What did I have done wrong? Sniffing the emulator network did not show up any requests other then expected.

Plinio.Santos
  • 1,709
  • 24
  • 31
  • found any solution? – NehaK Oct 01 '20 at 06:59
  • @NehaK I did not. I suspect that the ArcGIS platform is doing some redirects over HTTP, but could not find out for sure. – Plinio.Santos Oct 05 '20 at 14:14
  • 1
    I was getting same issue, but then I tried to call the request using Glide so found the URL in error, and added that URL inside this tag and it worked. May be will help somebody.. – NehaK Oct 06 '20 at 08:14
  • The URLs witch was the error root cause was a direct request or a redirect? Soon I'll have to look into this again, so if you post as an answer probably I can verify and accept. – Plinio.Santos Oct 07 '20 at 12:13
  • no its fine.. if you will get any issue in future you can try this method.. – NehaK Oct 07 '20 at 13:24

1 Answers1

3

I've faced similar issues too. After some investigation, I've found an issue on Github where was a details description of why this issue could happen: https://github.com/microsoft/cpprestsdk/issues/1313 In short, it's a new behaviour of the Android Framework. If your network config contains any <domain-config blocks, Framework throws CertificateException if you call checkServerTrusted(X509Certificate[] certs, String authType) in X509TrustManager. So instead you should use X509TrustManagerExtensions and call method with a hostname in a signature.

KoirN
  • 338
  • 1
  • 4
  • 14