During OCSP verification, Android 11 detects that the Responder's certificate is not authorized to sign the OCSP response, then it tries to send this exception to Revocation checker, to prepare for failure and once this exception received, it falls back to using CRL method.
Here, the exception from OCSP is not reaching to Revocation checker to prepare for this exception, it ends up printing below trace with chain validation failure.
Please note, device time is properly set and CA certificates are properly installed in device. Also, this issue of failing to send exception is occurring rarely, once it fails, then it continuously fails to send the exception to Revocation checker.
Below are the trace sequence I observe,
12-01 19:31:24.909 6369 6552 W System.err: OCSP_Response: final else case - Responder cert not authorized to sign 12-01 19:31:25.114 6369 6552 W System.err: javax.net.ssl.SSLHandshakeException: Chain validation failed 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:356) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:896) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:236) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:218) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at com.symbol.mxtest.MainActivity$SslCertificateLogger.intercept(MainActivity.java:193) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) 12-01 19:31:25.115 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity.run(MainActivity.java:162) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity.checkme(MainActivity.java:138) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity$1$1.run(MainActivity.java:108) 12-01 19:31:25.115 6369 6552 W System.err: at java.lang.Thread.run(Thread.java:923) 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertificateException: Chain validation failed 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:719) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:570) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353) 12-01 19:31:25.115 6369 6552 W System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94) 12-01 19:31:25.115 6369 6552 W System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:260) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079) 12-01 19:31:25.115 6369 6552 W System.err: ... 30 more 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertPathValidatorException: OCSP_Response: Responder's certificate is not authorized to sign OCSP responses 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:140) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:222) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) 12-01 19:31:25.115 6369 6552 W System.err: at java.security.cert.CertPathValidator.validate(CertPathValidator.java:301) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:715) 12-01 19:31:25.115 6369 6552 W System.err: ... 46 more 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertPathValidatorException: OCSP_Response: Responder's certificate is not authorized to sign OCSP responses 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:577) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:734) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:376) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:349) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130) 12-01 19:31:25.115 6369 6552 W System.err: ... 51 more
If anyone have faced this issue, please help or guide me with a possible solution.
Thanks.
Stop checking for certificate validation when calling API in Okhttp library
here is a sample code
and call this client
Whenever calling with retrofit like the following