Android Https Certpathvalidatorexception: Trustanchor Found But Certificate Validation Failed

Does anyone meet the below exception. It occurs random. After it happened, then https connection cannot be used anymore. The whole application needs to restart. The scenario : Af

Solution 1:

According to other sources like [1,2] you have probably outdated OpenSSL version. Try updating your openSSL version. Minimal version: OpenSSL 0.9.8o

Your BouncyCastle uses OpenSSL com.android.org.conscrypt.OpenSSLX509Certificate.verify to verify the certificate.

The exception java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm means the certificate uses digest that is not handled in the OpenSSL, most probably SHA256.

UPDATE 01: As noted in comments, in Android you cannot update system OpenSSL. Lets experiment:

• Try visit domain with your code (if possible) which uses SHA-256 certificate (works in 100% cases or not): https://www.fi.muni.cz/

• Then you can try to discover more details about your client support here: https://www.ssllabs.com/ssltest/viewMyClient.html

• Then more info about your server (ciphersuites, notice digests): https://www.ssllabs.com/ssltest/index.html

What are your Android and OKHttp versions? Your system uses https://conscrypt.org/ as a crypto provider. You can try to avoid using system bundled OpenSSL & BouncyCastle versions by using a new version of BouncyCastle - SpongyCastle.

Follow instructions here https://rtyley.github.io/spongycastle/ to install SpongyCastle as a new and preferred crypto provider (core, prov, pkix). If SpongyCastle is in effect your stacktrace will contain spongycastle packages.