Android Question SSL connection failures

Lee Gillie CCP · Jun 1, 2020

I have been running our last deployment without issue since Feb 2019. There are perhaps around 12 tablets, with our B4A app installed on:

P00I - Asus
VK700 - LGE
SM-T597V - Samsung

Yesterday they all worked fine. Today, at first only the LGE failed, and it was all LGE tablets out there which failed. About an hour ago all tablets now fail to connect. My first thought was perhaps a new Android was just pushed. Or some other major news event because I have been out of the loop for a bit. I have an LGE at the office, but I am working remotely at present, so I can not get to the office. I cant reproduce and check the Android's log from there at the moment. These tablets all connect via Verizon. The server they attempt to connect to is a custom .NET service which provides web services API.

This one has me baffled, but maybe someone else started having similar issues today or very recently?

I know it is not much to go on, so grasping at straws here. I sure hope someone has an idea or two.

Best regards - Lee Gillie, CCP - Spokane, WA

JohnC · Jun 1, 2020

I just had an SSL problem with my email client not being able to make a secure connection to my private VPS server.

It turns out that even though my VPS's SSL certificate wasn't going to expire until 7/1/20, it was the "root" certificate for that SSL which was one of the built-in certificates in my android device that expired on 5/30/20 (Android phones come with a bunch of built-in root certificates that are used to validate various SSL certificates on the internet).

So the solution was to just renew the SSL certificate of my VPS server using a different company so it would cause my android device to use a different root certificate to certify it, and everything started working again.

This may have nothing to do with your issue, but then again, it might also save you the time I had to spend troubleshoot my issue.

MicroDrie · Jun 1, 2020

JohnC said:
So the solution was to just renew the SSL certificate of my VPS server using a different company so it would cause my android device to use a different root certificate to certify it, and everything started working again.

Saidly ?, your are not the first with the problem of a expired SSL certificate. Fortunately ?, a solution has been found for that challenge. And you can of course expect from an economical ? (also called miserly ?) Dutchman that it is of course also free of charge ?. Is now used on more than 200 million websites ??.

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

Lee Gillie · Jun 2, 2020

Curiously some of the tablets have started being able to negotiate SSL all on their own, apparently. So now about half of them are making it through. They are able to web browse without issue. I wonder if Android has a certificate cache, and maybe there exists a way to clear it. This is so bizarre!

Lee Gillie CCP · Jun 2, 2020

More info. All tablet models EXCEPT the LG are connecting as of now. They are on Android version 5.0.2. I heard TLS 1.0/1.1 deprecated on 6/1/2020 for some software. I don't really know how this works, but could it be that a certificate in a cache was negotiated with TLS 1.1. Those running now have renegotiated under TLS 1.2. I am struggling to understand this where most if not all went away, and little by little they are coming back, and only those of a certain model remain unable to connect.

Lee Gillie CCP · Jun 4, 2020

More info...

I am working remotely, but I FINALLY got a co-worker to access LOGCAT and found this...

W/GLSActivity( 2504): fwb: BadAuthentication
W/GLSActivity( 2504): at fvp.acom.google.android.gms@12685006@12.6.85 (020300-197041431):13)
W/GLSActivity( 2504): at fvo.acom.google.android.gms@12685006@12.6.85 (020300-197041431):2)
W/GLSActivity( 2504): at fvo.ecom.google.android.gms@12685006@12.6.85 (020300-197041431):6)
W/GLSActivity( 2504): at fvn.acom.google.android.gms@12685006@12.6.85 (020300-197041431):1)
W/GLSActivity( 2504): at fxk.getAuthTokencom.google.android.gms@12685006@12.6.85 (020300-197041431):7)
W/GLSActivity( 2504): at android.accounts.AbstractAccountAuthenticator$Transport.getAuthToken(AbstractAccountAuthenticator.java:196)
W/GLSActivity( 2504): at android.accounts.IAccountAuthenticator$Stub.onTransact(IAccountAuthenticator.java:113)
W/GLSActivity( 2504): at android.os.Binder.transact(Binder.java:380)
W/GLSActivity( 2504): at dbf.onTransactcom.google.android.gms@12685006@12.6.85 (020300-197041431):3)
W/GLSActivity( 2504): at android.os.Binder.execTransact(Binder.java:446)
W/PlayEventLogger(22506): deferring log upload because couldn't retrieve auth token
W/System.err(13667): java.net.SocketTimeoutExceptionjava.net.SocketTimeoutException
W/System.err(13667): at java.net.PlainSocketImpl.read(PlainSocketImpl.java:488)
W/System.err(13667): at java.net.PlainSocketImpl.access$000(PlainSocketImpl.java:37)
W/System.err(13667): at java.net.PlainSocketImpl$PlainSocketInputStream.read(PlainSocketImpl.java:237)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:103)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:191)
W/System.err(13667): at org.apache.http.impl.conn.DefaultResponseParser.parseHead(DefaultResponseParser.java:82)
W/System.err(13667): at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:174)
W/System.err(13667): at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:180)
W/System.err(13667): at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:235)
W/System.err(13667): at at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:259)
W/System.err(13667): at java.net.PlainSocketImpl.read(PlainSocketImpl.java:488)
W/System.err(13667): org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:279)
W/System.err(13667): at at java.net.PlainSocketImpl.access$000(PlainSocketImpl.java:37)
W/System.err(13667): at java.net.PlainSocketImpl$PlainSocketInputStream.read(PlainSocketImpl.java:237)
W/System.err(13667): org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:121) at
W/System.err(13667): org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:103) at
W/System.err(13667): org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err(13667): at at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:191)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.executeWithTimeout(HttpClientWrapper.java:316)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.access$0(HttpClientWrapper.java:314)org.apache.http.impl.conn.DefaultResponseParser.parseHead(DefaultResponseParser.java:82)
W/System.err(13667): at
W/System.err(13667): org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:174) at
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper$ExecuteHelper.run(HttpClientWrapper.java:215)
W/System.err(13667): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:180)W/System.err(13667): at
W/System.err(13667): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(13667): at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:235)
W/System.err(13667): at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:259)
W/System.err(13667): at java.lang.Thread.run(Thread.java:818)
W/System.err(13667): org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:279)
W/System.err(13667): at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:121)
W/System.err(13667): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.executeWithTimeout(HttpClientWrapper.java:316)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.access$0(HttpClientWrapper.java:314)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper$ExecuteHelper.run(HttpClientWrapper.java:215)
W/System.err(13667): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
W/System.err(13667): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(13667): at java.lang.Thread.run(Thread.java:818)

and also

D/TelephonyIcons( 1473): getDataActivity, sub=0, activity=2
I/[SystemUI]StatusBar.NetworkController( 1473): refreshViews 1 connected={ data } level=1 mobileLabel=Verizon wifiLabel= emergencyOnly=false
I/[SystemUI]StatusBar.NetworkController( 1473): refreshViews 2 mPhoneSignalIconId=com.android.systemui:drawable/stat_sys_signal_bar5_1_fully mDataSignalIconId=com.android.systemui:drawable/stat_sys_signal_bar5_1_fully mDataTypeIconId=(null) mDataActivity=2 mLGNetworkController.mLGDataTypeIconId=com.android.systemui:drawable/stat_sys_data_connected_4g_nodata_vzw mLGNetworkController.mLGDataActivityIconId=com.android.systemui:drawable/stat_sys_data_fully_default_out_vzw
I/[SystemUI]StatusBar.NetworkController( 1473): refreshViews 3 mAirplaneMode=false mNoSimIconId=(null) mWifiIconId=(null) mWifiActivityIconId=com.android.systemui:drawable/stat_sys_wifi_none_vzw
W/System.err(13667): java.net.SocketTimeoutException
W/System.err(13667): at java.net.PlainSocketImpl.read(PlainSocketImpl.java:488)
W/System.err(13667): at java.net.PlainSocketImpl.access$000(PlainSocketImpl.java:37)
W/System.err(13667): at java.net.PlainSocketImpl$PlainSocketInputStream.read(PlainSocketImpl.java:237)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:103)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:191)
W/System.err(13667): at org.apache.http.impl.conn.DefaultResponseParser.parseHead(DefaultResponseParser.java:82)
W/System.err(13667): at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:174)
W/System.err(13667): at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:180)
W/System.err(13667): at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:235)
W/System.err(13667): at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:259)
W/System.err(13667): at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:279)
W/System.err(13667): at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:121)
W/System.err(13667): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err(13667): java.net.SocketTimeoutException
W/System.err(13667): at java.net.PlainSocketImpl.read(PlainSocketImpl.java:488)
W/System.err(13667): at java.net.PlainSocketImpl.access$000(PlainSocketImpl.java:37)
W/System.err(13667): at at java.net.PlainSocketImpl$PlainSocketInputStream.read(PlainSocketImpl.java:237)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:103)
W/System.err(13667): anywheresoftware.b4a.http.HttpClientWrapper.executeWithTimeout(HttpClientWrapper.java:316)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.access$0(HttpClientWrapper.java:314)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper$ExecuteHelper.run(HttpClientWrapper.java:215)
W/System.err(13667): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
W/System.err(13667): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(13667): at java.lang.Thread.run(Thread.java:818)
W/System.err(13667): at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:191)
W/System.err(13667): at org.apache.http.impl.conn.DefaultResponseParser.parseHead(DefaultResponseParser.java:82)
W/System.err(13667): at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:174)
W/System.err(13667): at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:180)
W/System.err(13667): at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:235)
W/System.err(13667): at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:259)
W/System.err(13667): at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:279)
W/System.err(13667): at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:121)
W/System.err(13667): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err(13667): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.executeWithTimeout(HttpClientWrapper.java:316)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper.access$0(HttpClientWrapper.java:314)
W/System.err(13667): at anywheresoftware.b4a.http.HttpClientWrapper$ExecuteHelper.run(HttpClientWrapper.java:215)
W/System.err(13667): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
W/System.err(13667): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(13667): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(13667): at java.lang.Thread.run(Thread.java:818)
D/WindowManager( 938): [PWM]1.notifyNavigationBarColor => mLastColorNavigationBar=0x0
I/[SystemUI]NavigationThemeResource( 1473): notify navigation bar color(0x0)
D/InputDispatcher( 938): Focus left window: Window{18dd9411 u0 odp.eljaydelivery/odp.eljaydelivery.main}
D/InputDispatcher( 938): Focus entered window: Window{3f3c236e u0 odp.eljaydelivery/odp.eljaydelivery.main}
D/InputDispatcher( 938): Window went away: Window{18dd9411 u0 odp.eljaydelivery/odp.eljaydelivery.main}
W/InputMethodManagerService( 938): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@1755b449 attribute=null, token = android.os.BinderProxy@2359ae9
I/B4A (13667): ~l021638416:GetMyIPCompletion failed: java.net.SocketTimeoutException
I/B4A (13667): ~l122490369:************ Main.GetProducts_LatestUploadHandler: Started
I/B4A (13667): ~l222490391:************ Main.GetProducts_LatestUploadHandler: Finished
I/[SystemUI]StatusBar.NetworkController( 1473): onDataActivity: direction=3
D/TelephonyIcons( 1473): getDataActivity, sub=0, activity=3
I/[SystemUI]StatusBar.NetworkController( 1473): refreshViews 1 connected={ data } level=1 mobileLabel=Verizon wifiLabel= emergencyOnly=false
I/[SystemUI]StatusBar.NetworkController( 1473): refreshViews 2 mPhoneSignalIconId=com.android.systemui:drawable/stat_sys_signal_bar5_1_fully mDataSignalIconId=com.android.systemui:drawable/stat_sys_signal_bar5_1_fully mDataTypeIconId=(null) mDataActivity=3 mLGNetworkController.mLGDataTypeIconId=com.android.systemui:drawable/stat_sys_data_connected_4g_nodata_vzw mLGNetworkController.mLGDataActivityIconId=com.android.systemui:drawable/stat_sys_data_fully_default_inandout_vzw

I suspect Google deployed something, or perhaps something at Google APIs changed on June 1, 2020. I suspect ANYWHERE runtimes we installed with our app are no longer compatible for some reason. (at least on these antique LG tablets) Our app was last compiled, built and deployed from B4A version 8.90.

I am hopeful that if we update to B4A 9.80, and do what ever SDK updates are mandatory for it, and also make any code changes needed to jump from 8.90 to 9.80 that it will likely fix the incompatibility, and restore life to our 2014 LG tablets. I note that 2016 Asus tablets, and 2018 Samsung tablets have zero problems. It is ONLY the LG tablets that are no longer able to negotiation SSL, and begin communications to our proprietary web services API.

Any hints for things to watch for along the upgrade path would be EXTREMELY appreciated as we start down this path tomorrow.

Best regards - Lee

Erel · Jun 4, 2020

It is difficult to read the bold logs.

You should always use the latest version of B4A and you should use OkHttpUtils2. I do not know whether it will solve this issue or not. It is possible that the server uses a SSL protocol that is no longer supported by your old devices.

MicroDrie · Jun 4, 2020

Perhaps this article How To Fix SSL Connection Error On Android? can give you ideas for a quick fix? Specially the Clear Browsing History & Caches could be interesting to get ride of old certificates which are not be used anymore.

Lee Gillie CCP · Jun 8, 2020

We are really getting nowhere quickly with this.

On the .NET web api data service, we manage the connections. We tried allowing ANY negotiated handshake (we prefer TLS 1.2 minimum, but we opened it up to allow anything for this test, for which .NET will use the highest level it can). Further, we always fully validate (and log) all the certificate chain elements, and all elements are valid, and have not expired.

On the server side we see the incoming socket connection, but SSL authentication fails with an error that suggests the client disconnected prematurely, and our initial attempt to read the stream behaves as if the stream is empty. The stream length is reported as -1.

As per Erel, We converted our code to use OkHttpUtils2 and are using the very latest version of it, and still the LG tablets are not able to connect via SSL. All more recent tablet models we presume continue to work as they did before, as they should and are able to use SSL.

As per MicroDrie we followed the link. We found there was a new update for google web browser, so we installed it, and tried again. This also made no difference.

As of the moment our only working implementation is to provide a second non-secure port for our web API data service. I am not really proud of the only option to offer the customer is to eliminate security, or to replace all of those 2014 LG tablets with newer ones.

At failure logcat reports: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Earlier in logcat, I presume as tablet started, we see this, which I have no idea if it is relevant:

W/ProviderInstaller(20812): Failed to load providerinstaller module: No acceptable module found. Local version is 0 and remote version is 0.
V/NativeCrypto(20812): Registering com/google/android/gms/org/conscrypt/NativeCrypto's 286 native methods...
W/art (20812): Suspending all threads took: 14.018ms
W/System (20812): Could not create com.google.android.gms.org.conscrypt.OpenSSLSocketFactoryImpl with ClassLoader android.app.LoadedApk$WarningContextClassLoader@36e31021: com.google.android.gms.org.conscrypt.OpenSSLSocketFactoryImpl
W/ActivityThread(20812): ClassLoader.loadClass: The class loader returned by Thread.getContextClassLoader() may fail for processes that host multiple applications. You should explicitly specify a context class loader. For example: Thread.setContextClassLoader(getClass().getClassLoader());
I/ProviderInstaller(20812): Installed default security provider GmsCore_OpenSSL

OliverA · Jun 9, 2020

Have you tried updating Google Play services on the device? Here's @Erel's posting: https://www.b4x.com/android/forum/threads/ssl-websocket-client.88472/post-560044
I use @Erel's provided code in Main as following sub:

B4X:

Sub CheckProviderInstaller As ResumableSub
    ' Don't forget to add to module:
'#AdditionalJar: com.google.android.gms:play-services-base
    'Don't forget to add to the Manifest
'    '************ Google Play Services Base ************
'    AddApplicationText(
'    <Activity android:name="com.google.android.gms.common.api.GoogleApiActivity"
'    android:theme="@android:style/Theme.Translucent.NoTitleBar"
'    android:exported="false"/>
'    <meta-data
'    android:name="com.google.android.gms.version"
'    android:value="@integer/google_play_services_version" />
'    )
'    '************ Google Play Services Base (end) ************
    Dim retVal As Boolean = False
    Dim jo As JavaObject
    jo.InitializeStatic("com.google.android.gms.security.ProviderInstaller")
    Dim context As JavaObject
    context.InitializeContext
    Dim listener As Object = jo.CreateEventFromUI("com.google.android.gms.security.ProviderInstaller.ProviderInstallListener", _
        "listener", Null)
    Log("Installing security provider if needed...")
    jo.RunMethod("installIfNeededAsync", Array(context, listener))
    Wait For listener_Event (MethodName As String, Args() As Object)
    If MethodName = "onProviderInstalled" Then
        Log("Provider installed successfully")
        retVal = True
    Else
        Log("Error installing provider: " & Args(0))
    End If
    Return retVal
End Sub

I call this code in Activity Resume like this:

B4X:

Wait For (CheckProviderInstaller) complete (success As Boolean)

Lee Gillie CCP · Jun 9, 2020

OliverA said:
Have you tried updating Google Play services on the device? Here's @Erel's posting: https://www.b4x.com/android/forum/threads/ssl-websocket-

You raise an excellent point.

I wonder how it may affect us though. I know to get your APK into Google Play for deployment, it filters out apps supporting the known weak TLS 1.1. But we have chosen to solely side-load our application to fleet tablets we are supporting. I know these problematic LG tablets are circa 2014, and may have a limit on the Android API SDK version that can be installed to them (because every model seems to have an eventual limit on Android version they will receive). I have requested staff to survey the 3 tablet models in the field for Android version they are running, and see if we can possibly up the target SDK on our project. I suspect older SDK API versions might not support the minimal TLS 1.2.

But another thing I noticed in the LOGCAT just PRIOR to SSL negotiation failure is that it appears there may be some communication with google services. This is NOT part of the standard SSL negotiation, as I would expect only primary, root, and intermediate CAs to be involved in the negotiation. But perhaps with Android, it is phoning home to the mother ship (google) and THAT may now be limiting us on TLS level that can be used.

I don't know for certain yet, because I don't know Android levels in the field, and I don't know what the API SDK's support for TLS level, but it may simply mean that this hardware is officially obsolete. I truly would hate to go to the customer and tell them they must replace half of their deployed tablets, without more certainty.

Thank you OliverA for taking time to consider this.

Best regards - Lee

OliverA · Jun 9, 2020

Lee Gillie CCP said:
But we have chosen to solely side-load our application to fleet tablets we are supporting

I use the above posted code on a pure side loaded application. The code just updates Android's security provider. The error message you posted after updating to OkHttpUtils2 seem to indicate that the security provider is out of date. I'm pretty sure the code will fail on API levels below 21 (Android 5).

Note: A quick "googling" on the LG tablet seem to indicate it came with KitKat (4.4) out of the factory, but an update to Lollipop (5) was made available. If the tablets are still on KitKat, they will definitely fail. The solution then would be to update them to Lollipop.

Lee Gillie CCP · Jun 9, 2020

I have confirmed the LG tablets have 5.0.2 Android installed. All other tablets (the ones that work with SSL) are running either 7 or 9.

I see your installer working...

I/B4A (12092): ~l31131188:******* Main.Activity_Create: Finished
I/B4A (12092): ~i:** Activity (main) Resume **
I/B4A (12092): ~l41196610:******* Main.Activity_Resume: Started
D/GpsLocationProvider( 938): setRequest ProviderRequest[ON interval=0]
I/B4A (12092): ~l5168681749:Installing security provider if needed...

This is an asynchronous activity, so the results of it are logged a bit later...

I/B4A (12092): ~l6168681753:Provider installed successfully

But it continues to fail to do the SSL authentication, with the same exception as before...

W/System.err(12092): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(12092): at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshakecom.google.android.gms@201875006@20.18.75 (020300-314726893):25)
W/System.err(12092): at com.google.android.gms.org.conscrypt.KitKatPlatformOpenSSLSocketImplAdapter.startHandshakecom.google.android.gms@201875006@20.18.75 (020300-314726893):0)
W/System.err(12092): at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:242)
W/System.err(12092): at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:200)
W/System.err(12092): at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
W/System.err(12092): at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114)
W/System.err(12092): at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:196)
W/System.err(12092): at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:132)
W/System.err(12092): at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:101)
W/System.err(12092): at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
I/ActivityManager( 938): Start proc com.lge.p2pclients.tethering for broadcast com.lge.p2p/com.lge.p2pclients.tethering.P2pTetheringReceiver: pid=12126 uid=10093 gids={50093, 9997, 3003, 3001, 3002, 1028, 1015} abi=armeabi-v7a
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W/System.err(12092): at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W/System.err(12092): at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W/System.err(12092): at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W/System.err(12092): at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W/System.err(12092): at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
W/System.err(12092): at okhttp3.RealCall.execute(RealCall.java:63)
W/System.err(12092): at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.executeWithTimeout(OkHttpClientWrapper.java:156)
W/System.err(12092): at anywheresoftware.b4h.okhttp.OkHttpClientWrapper.access$0(OkHttpClientWrapper.java:153)
W/System.err(12092): at anywheresoftware.b4h.okhttp.OkHttpClientWrapper$ExecuteHelper.run(OkHttpClientWrapper.java:201)
W/System.err(12092): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
W/System.err(12092): at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(12092): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(12092): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(12092): at java.lang.Thread.run(Thread.java:818)
W/System.err(12092): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(12092): at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:324)
W/System.err(12092): at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:225)
W/System.err(12092): at java.lang.reflect.Method.invoke(Native Method)
W/System.err(12092): at java.lang.reflect.Method.invoke(Method.java:372)
W/System.err(12092): at com.google.android.gms.org.conscrypt.Platform.checkTrustedcom.google.android.gms@201875006@20.18.75 (020300-314726893):2)
W/System.err(12092): at com.google.android.gms.org.conscrypt.Platform.checkServerTrustedcom.google.android.gms@201875006@20.18.75 (020300-314726893):3)
W/System.err(12092): at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChaincom.google.android.gms@201875006@20.18.75 (020300-314726893):5)
W/System.err(12092): at com.google.android.gms.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(12092): at com.google.android.gms.org.conscrypt.NativeSsl.doHandshakecom.google.android.gms@201875006@20.18.75 (020300-314726893):6)
W/System.err(12092): at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshakecom.google.android.gms@201875006@20.18.75 (020300-314726893):16)
W/System.err(12092): ... 29 more
W/System.err(12092): Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(12092): ... 39 more
I/B4A (12092): ~l4166846721:ResponseError. Reason: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found., Response:

So, once again I find myself at wit's end. Please help!

OliverA · Jun 9, 2020

If your server is accessible from outside, use

SSL Certificate Checker - Diagnostic Tool | DigiCert.com

www.digicert.com

to check your server's SSL configuration and see if there is an issue that could be resolved on the server side

Lee Gillie CCP · Jun 9, 2020

Actually, we explored this the other day...

Also when our server fires up it immediately builds and validates all elements of the chain, and all of that looks as it should.

OliverA · Jun 9, 2020

Are you sure the server is allowing TLS 1.2? Maybe someone reconfigured the server and disabled TLS 1.2. On the above linked site, check the "Check for common vulnerabilities" box and see if your server still supports TLS 1.2

Lee Gillie CCP · Jun 9, 2020

OliverA said:
Are you sure the server is allowing TLS 1.2? Maybe someone reconfigured the server and disabled TLS 1.2. On the above linked site, check the "Check for common vulnerabilities" box and see if your server still supports TLS 1.2

I originally had it PREVENT TLS 1.1. But when we started having this problem we, via (.NET) AuthenticateAsServer with the option to negotiate the highest possible TLS between client and server, with no LOWER limits on what we will accept. We see TLS 1.2 (and 1.3 as I recall) negotiated for those newer (2019) circa tablets. Again only these old LG tablets (2014) running Android 5.0.2 fail SSL.

OliverA · Jun 9, 2020

It's just interesting that your issues started June 1st. On May 30th a major root certificate expired causing some big problems out there: https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/

OliverA · Jun 9, 2020

Do you have one of the tablets at hand? You could try creating a "toilet" here https://ptsv2.com/ and see if you can connect to it via the offending table. Or any other https enabled site. This way you could test if all https traffic is doomed to failure or only your site.

MicroDrie · Jun 9, 2020

Because LGe is the only one which refused your solution and looking to fact that the LGE was released around the time of the TLS 1.2 required introduction, this all rise the question has LGE ever made a TLS update?

But another thing I noticed in the LOGCAT just PRIOR to SSL negotiation failure is that it appears there may be some communication with google services. This is NOT part of the standard SSL negotiation, as I would expect only primary, root, and intermediate CAs to be involved in the negotiation. But perhaps with Android, it is phoning home to the mother ship (google) and THAT may now be limiting us on TLS level that can be used.

This article Protect Your Android App Against SSL Exploits said:

If you using google play services such as google analytics or push notifications (Google Cloud Messaging), there is a very easy way to install a new SSL Security Provider (injecting an up to date openssl library that gets shipped and updated with the Google Play Services).

Perhaps you can give the suggestion to update to the leatist the last SSL version:

B4X:
The only thing you need to do is to call the following method

B4X:

ProviderInstaller.installIfNeeded(getContext());

within your first Activity. This will on the first application start inject the updated library and ever subsequent start it does nothing and wont slow down your application

Android Question SSL connection failures

Active Member

Expert

Well-Known Member

New Member

Active Member

Active Member

B4X founder

Well-Known Member

Active Member

Expert

Active Member

Expert

Active Member

Expert

Active Member

Expert

Active Member

Expert

Expert

Well-Known Member

Similar Threads