2

EDIT

It does not seem to be a duplicate to me since all the other questions are related with repeatable issues and not intermittent like this one

END-EDIT

I have an app that runs some HTTP GET. The app runs on API 21+. It works fine most of the time, but very rarely one HTTP GET fails with the error:

D/OkHttp: --> GET https://url/url2?parm1=value1
D/OkHttp: --> END GET
D/OkHttp: <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

When this starts happening, it keeps happening until I kill the app. I'm using Retrofit with OKHttp 4.3.1. I'm going to update to the latest version now just in case this is a bug in OKHttp but I didn't find any report.

The code for the HTTP call is the usual code with Retrofit:

private val retrofit: Retrofit
    get() = Retrofit.Builder()
            .baseUrl(BuildConfig.BASE_URL)
            .addConverterFactory(GsonConverterFactory.create(gson))
            .addCallAdapterFactory(CoroutineCallAdapterFactory())
            .client(client)
            .build()

internal val service: AppService
    get() = retrofit.create<AppService>(AppService::class.java)

internal interface AppService {
    @GET
    suspend fun loadServerListAsync(@Url url: String): Response<List<Server>>
}

In the past I have seen this error in another app. In that case the error wasn't intermittent and the problem was on the backend: they had changed a certificate, but they hadn't updated all the intermediate certificates.

In this case it looks like the error is different since it is intermittent and killing the app fixes it. There is no load balancer on the backend so it can't be that different servers have different certificates.

kingston
  • 11,053
  • 14
  • 62
  • 116
  • check your URL if it's starting with HTTP to https – Ritu Suman Mohanty Aug 13 '20 at 13:36
  • thanks @RituSumanMohanty. The URL is correct. I modified it a bit in the question but it is HTTPS anyway – kingston Aug 13 '20 at 14:02
  • The other one question has an OkHttp answer, so this should resolve the issue. There's also a deleted one answer, which would be the anti-pattern (you'd need a little more reputation to view it). It was something alike this stupid approach: https://stackoverflow.com/questions/37686625/disable-ssl-certificate-check-in-retrofit-library – Martin Zeitler Aug 13 '20 at 16:19
  • @MartinZeitler. How can the issue be intermittent if it is just a problem of certificate not trusted? It can't be an intermittent problem on the server because it is enough to kill the app – kingston Aug 13 '20 at 16:22
  • @kingston You'd need to configure the OkHttp client which Retrofit uses differently. Usually the first thing to check with SSL issues is to run SSL check on the server, to see which certificate one is dealing with; one still can set up the local trust store then. See https://www.ssllabs.com/ssltest/ – Martin Zeitler Aug 13 '20 at 16:30
  • Thanks @MartinZeitler, I will try that but still I don't know how this can be an intermittent issue and why to kill the app fixes it – kingston Aug 13 '20 at 16:32
  • [This](https://stackoverflow.com/questions/55547248/retrofit-not-working-on-specific-versions-of-android/55667454#55667454) might also be related, depending which API level & server-side TLS version you may run the code against. That's why checking for the certificate chain is being suggested. If killing the app and restarting it cures the issue, this might eventually have to do with certificate pinning (there is an OS side component to it). – Martin Zeitler Aug 13 '20 at 16:32
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/219755/discussion-between-kingston-and-martin-zeitler). – kingston Aug 13 '20 at 16:35
  • No thanks; need to to work. Only 2 more bugs until invoice. Without the API level and the TLS version, this question is even rather abstract. – Martin Zeitler Aug 13 '20 at 16:36
  • Same server IP address when it succeeds and when it fails? – Jesse Wilson Aug 13 '20 at 22:12
  • Yes it is the same server – kingston Aug 14 '20 at 05:04

1 Answers1

2

It can be related from cypher security protocol TLSv1 to fail and fallback to deprecated SSLv3.

To prevent TLSv1 secure connection to fallback to SSLv3 in simulator and throw connection error because SSLv3 is now deprecated and unsecure (Android Studio Failure in SSL library, usually a protocol error)

Install updated security provider using Google Play Services. This effectively gives your app access to a newer version of OpenSSL and Java Security Provider, which includes support for TLSv1.2 in SSLEngine. Once the new provider is installed, you can create an SSLEngine which supports SSLv3, TLSv1, TLSv1.1 and TLSv1.2 the usual way.

This should be the answer to your problem : Javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: Failure in SSL library, usually a protocol error

Nicolas Buquet
  • 3,880
  • 28
  • 28