2

I have an app publicated for years. It was working very well but nowadays it started to throw SLLHandshakeExceptions but only for Android 12.

I can't find any official documentation whether something has changed in Android 12 that I would have to implement in order to make things works so I'm just clueless.

Here is the log:

Caused by java.security.cert.CertificateException: Unacceptable certificate: CN=R3, O=Let's Encrypt, C=US
       at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:609)
       at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
       at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
       at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353)
       at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
       at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
       at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
       at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
       at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
       at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(NativeCrypto.java)
       at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
       at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
       at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
       at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
       at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:731)
       at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
       at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
       at com.squareup.okhttp.Connection.connectTls(Connection.java:235)
       at com.squareup.okhttp.Connection.connectSocket(Connection.java:199)
       at com.squareup.okhttp.Connection.connect(Connection.java:172)
       at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:367)
       at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
       at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:328)
       at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:245)
       at com.squareup.okhttp.Call.getResponse(Call.java:267)
       at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:224)
       at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:195)
       at com.squareup.okhttp.Call.execute(Call.java:79)
       at com.kwindoo.application.network.newapilib.lib.BaseNetworkTask.doInBackground(BaseNetworkTask.java:325)
       at com.kwindoo.application.network.newapilib.lib.BaseNetworkTask.doInBackground(BaseNetworkTask.java:38)
       at android.os.AsyncTask$3.call(AsyncTask.java:394)
       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
       at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:305)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
       at java.lang.Thread.run(Thread.java:920)

I also have a second exception which is CertExpiredException. So this would be only a server side fix?

Caused by java.security.cert.CertificateExpiredException: Certificate expired at Wed Sep 29 12:21:40 PDT 2021 (compared to Thu Mar 31 07:13:28 PDT 2022)
       at com.android.org.conscrypt.OpenSSLX509Certificate.checkValidity(OpenSSLX509Certificate.java:269)
       at com.android.org.conscrypt.OpenSSLX509Certificate.checkValidity(OpenSSLX509Certificate.java:255)
       at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:605)
       at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
       at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
       at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353)
       at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
       at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
       at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
       at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
       at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
       at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(NativeCrypto.java)
       at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
       at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
       at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
       at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
       at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
       at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:731)
       at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
       at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
       at com.squareup.okhttp.Connection.connectTls(Connection.java:235)
       at com.squareup.okhttp.Connection.connectSocket(Connection.java:199)
       at com.squareup.okhttp.Connection.connect(Connection.java:172)
       at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:367)
       at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
       at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:328)
       at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:245)
       at com.squareup.okhttp.Call.getResponse(Call.java:267)
       at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:224)
       at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:195)
       at com.squareup.okhttp.Call.execute(Call.java:79)
       at com.kwindoo.application.network.newapilib.lib.BaseNetworkTask.doInBackground(BaseNetworkTask.java:325)
       at com.kwindoo.application.network.newapilib.lib.BaseNetworkTask.doInBackground(BaseNetworkTask.java:38)
       at android.os.AsyncTask$3.call(AsyncTask.java:394)
       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
       at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:305)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
       at java.lang.Thread.run(Thread.java:920)

I use the following libs for my networking layer:

  implementation 'com.squareup.okio:okio:2.8.0'
  implementation 'com.squareup.okhttp:okhttp:2.5.0'

Any tips?

Improve this question
2
  • Normally, with Let's Encrypt, they have you install a server-side tool that auto-updates your certificates before they expire. You might want to check to see if that's working and if your certificate is up to date. If it is, then perhaps you are seeing some sort of network interception that is somehow messing with your certificates for some users (though it is odd that the problem only shows up on Android 12... 🤔). Commented Mar 31, 2022 at 22:14
  • Please check this official documentation of google for reference. developer.android.com/training/articles/security-ssl Commented Apr 11, 2022 at 10:59

2 Answers 2

Reset to default
2

This is a known issue as some certificate signed by Let's Encrypt is not trusted.

That is a server-side problem and please update the certificate.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The expiration date on your second exception is the date of the expiration of the R3 intermediate signing certificate which was previously used by let's encrypt: https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

It was replaced by a new root certificate since then and Android 12 is compatible with new root certificate.

Maybe this is a library problem, the okhttp version you use is outdated: https://square.github.io/okhttp/

You can try to migrate to latest version:

implementation("com.squareup.okhttp3:okhttp:4.9.3")
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.