Android_11 Exception Handling Issue: javax.net.ssl.SSLHandshakeException: Chain validation failed

Question

During OCSP verification, Android 11 detects that the Responder's certificate is not authorized to sign the OCSP response, then it tries to send this exception to Revocation checker, to prepare for failure and once this exception received, it falls back to using CRL method.

Here, the exception from OCSP is not reaching to Revocation checker to prepare for this exception, it ends up printing below trace with chain validation failure.

Please note, device time is properly set and CA certificates are properly installed in device. Also, this issue of failing to send exception is occurring rarely, once it fails, then it continuously fails to send the exception to Revocation checker.

Below are the trace sequence I observe,

12-01 19:31:24.909 6369 6552 W System.err: OCSP_Response: final else case - Responder cert not authorized to sign 12-01 19:31:25.114 6369 6552 W System.err: javax.net.ssl.SSLHandshakeException: Chain validation failed 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:356) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:896) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:236) 12-01 19:31:25.114 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:218) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at com.symbol.mxtest.MainActivity$SslCertificateLogger.intercept(MainActivity.java:193) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) 12-01 19:31:25.114 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) 12-01 19:31:25.115 6369 6552 W System.err: at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity.run(MainActivity.java:162) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity.checkme(MainActivity.java:138) 12-01 19:31:25.115 6369 6552 W System.err: at com.symbol.mxtest.MainActivity$1$1.run(MainActivity.java:108) 12-01 19:31:25.115 6369 6552 W System.err: at java.lang.Thread.run(Thread.java:923) 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertificateException: Chain validation failed 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:719) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:570) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353) 12-01 19:31:25.115 6369 6552 W System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94) 12-01 19:31:25.115 6369 6552 W System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:260) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079) 12-01 19:31:25.115 6369 6552 W System.err: ... 30 more 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertPathValidatorException: OCSP_Response: Responder's certificate is not authorized to sign OCSP responses 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:140) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:222) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) 12-01 19:31:25.115 6369 6552 W System.err: at java.security.cert.CertPathValidator.validate(CertPathValidator.java:301) 12-01 19:31:25.115 6369 6552 W System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:715) 12-01 19:31:25.115 6369 6552 W System.err: ... 46 more 12-01 19:31:25.115 6369 6552 W System.err: Caused by: java.security.cert.CertPathValidatorException: OCSP_Response: Responder's certificate is not authorized to sign OCSP responses 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:577) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:734) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:376) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:349) 12-01 19:31:25.115 6369 6552 W System.err: at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:130) 12-01 19:31:25.115 6369 6552 W System.err: ... 51 more

If anyone have faced this issue, please help or guide me with a possible solution.

Thanks.

Answer 1

Stop checking for certificate validation when calling API in Okhttp library

here is a sample code

    private fun getUnsafeOkHttpClient(): OkHttpClient? {
    return try {
        val trustAllCerts = arrayOf<TrustManager>(object : X509TrustManager {
            @Throws(CertificateException::class)
            override fun checkClientTrusted(
                chain: Array<X509Certificate?>?, authType: String?
            ) {
            }

            @Throws(CertificateException::class)
            override fun checkServerTrusted(
                chain: Array<X509Certificate?>?,
                authType: String?
            ) {
            }

            override fun getAcceptedIssuers(): Array<X509Certificate?>? {
                return arrayOf()
            }
        })

        val sslContext = SSLContext.getInstance("SSL")
        sslContext.init(null, trustAllCerts, SecureRandom())
        val sslSocketFactory = sslContext.socketFactory
        val trustManagerFactory: TrustManagerFactory =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
        trustManagerFactory.init(null as KeyStore?)
        val trustManagers: Array<TrustManager> = trustManagerFactory.trustManagers
        check(!(trustManagers.size != 1 || trustManagers[0] !is X509TrustManager)) {
            "Unexpected default trust managers:" + trustManagers.contentToString()
        }
        val trustManager = trustManagers[0] as X509TrustManager
        val builder = OkHttpClient.Builder()
        builder.sslSocketFactory(sslSocketFactory, trustManager)
        builder.hostnameVerifier { _, _ -> true }
        builder.build()
    } catch (e: Exception) {
        throw RuntimeException(e)
    }
}

and call this client

Whenever calling with retrofit like the following

val client = getUnsafeOkHttpClient()
        retrofit = Retrofit.Builder().baseUrl(baseUrl)
            .addConverterFactory(ScalarsConverterFactory.create())
            .addCallAdapterFactory(RxJava2CallAdapterFactory.create())
            .addConverterFactory(GsonConverterFactory.create()).client(client).build()