Develop Reference

MSAL - Exception two- Failed to load instance discovery metadata Android 31

One of our android app is using MSAL library (com.microsoft.identity.client:msal:0.2.+) to validate the user with Microsoft AD. When we run the app in Android 12 - Google pixel device, I am getting an exception.
E/AdalMigrationAdapter:loadCloudDiscoveryMetadata: [2021-11-28 12:03:12 - thread_name : pool-45-thread-1, correlation_id : UNSET] Failed to load instance discovery metadata Android 31
javax.net.ssl.SSLHandshakeException: Chain validation failed
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:731)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
at com.google.firebase.perf.network.InstrURLConnectionBase.getInputStream(InstrURLConnectionBase.java:137)
at com.google.firebase.perf.network.InstrHttpsURLConnection.getInputStream(InstrHttpsURLConnection.java:79)
at com.microsoft.identity.common.internal.net.UrlConnectionHttpClient.executeHttpSend(UrlConnectionHttpClient.java:263)
at com.microsoft.identity.common.internal.net.UrlConnectionHttpClient.access$100(UrlConnectionHttpClient.java:73)
at com.microsoft.identity.common.internal.net.UrlConnectionHttpClient$2.call(UrlConnectionHttpClient.java:176)
at com.microsoft.identity.common.internal.net.UrlConnectionHttpClient$2.call(UrlConnectionHttpClient.java:174)
at com.microsoft.identity.common.internal.net.NoRetryPolicy.attempt(NoRetryPolicy.java:42)
at com.microsoft.identity.common.internal.net.NoRetryPolicy.attempt(NoRetryPolicy.java:36)
at com.microsoft.identity.common.internal.net.UrlConnectionHttpClient.method(UrlConnectionHttpClient.java:174)
at com.microsoft.identity.common.internal.net.AbstractHttpClient.get(AbstractHttpClient.java:47)
at com.microsoft.identity.common.internal.providers.microsoft.azureactivedirectory.AzureActiveDirectory.performCloudDiscovery(AzureActiveDirectory.java:188)
at com.microsoft.identity.common.internal.migration.AdalMigrationAdapter.loadCloudDiscoveryMetadata(AdalMigrationAdapter.java:238)
at com.microsoft.identity.common.internal.migration.AdalMigrationAdapter.adapt(AdalMigrationAdapter.java:119)
at com.microsoft.identity.common.internal.migration.TokenMigrationUtility$1.run(TokenMigrationUtility.java:67)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:920)
Caused by: java.security.cert.CertificateException: Chain validation failed
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:719)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:570)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
... 37 more
Caused by: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:222)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:301)
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:715)
... 52 more
Caused by: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:619)
at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:709)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:363)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 57 more
Suppressed: java.security.cert.CertPathValidatorException: Could not determine revocation status
at sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1092)
Another error is showing is "Unable to perform cloud discovery"
I am facing this issue only in Android 12.

Android Trust anchor for certification path not found for Self signed certificate using Okhttp

My Server is using Self-Signed certificate. I am using Okhttp + Retrofit for api calls. I have got crt file and public key [SHA-256] from the server. Following this and this links from Google docs, I have created a network_security_config file in xml folder and added my crt file in raw folder and added it in manifest file as
android:networkSecurityConfig="#xml/network_security_config"
Here is my network config file as per Google docs:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">2.48.3.66:</domain>
<pin-set>
<pin digest="SHA-256">ofJqMSD8j9q3w5myKalxjJO5OklHyBqgkwgHjqcOhds=</pin>
</pin-set>
<trust-anchors>
<certificates src="#raw/ssl_certificate"/>
</trust-anchors>
</domain-config>
</network-security-config>
I get following exception when calling an api
Response Failure: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
W/System.err: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:367)
W/System.err: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:325)
W/System.err: at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:197)
W/System.err: at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:249)
W/System.err: at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:108)
W/System.err: at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:76)
W/System.err: at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:245)
W/System.err: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
W/System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:96)
W/System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
W/System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
W/System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err: at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:219)
W/System.err: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:100)
W/System.err: at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:197)
W/System.err: at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:502)
W/System.err: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
W/System.err: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
W/System.err: at java.lang.Thread.run(Thread.java:919)
So following are my queries:
Is this the right way to implement Self-Signed certificate pinning?
Because google clearly mentions in their docs that "Fortunately, you can teach your application to trust custom CAs by configuring your application's Network Security Config, without needing to modify the code inside your application."
If network_security_config is correct then how to check if there is any issue with server configurations (crt file + public key)
Do i manually need to load crt file and then use keystore + sslfactory to configure ssl pinning as mentioned in this link
Note: For now just to run the apis, I am using a trust manager that does not validate certificate chains as follow:
try {
val trustAllCerts: Array<TrustManager> = arrayOf(object : X509TrustManager {
override fun checkClientTrusted(chain: Array<out java.security.cert.X509Certificate>?, authType: String?) {
}
override fun checkServerTrusted(chain: Array<out java.security.cert.X509Certificate>?, authType: String?) {
}
override fun getAcceptedIssuers(): Array<out java.security.cert.X509Certificate>? = arrayOf()
})
// Install the all-trusting trust manager
val sslContext = SSLContext.getInstance("SSL")
sslContext.init(null, trustAllCerts, SecureRandom())
// Create an ssl socket factory with our all-trusting manager
val sslSocketFactory = sslContext.socketFactory
if (trustAllCerts.isNotEmpty() && trustAllCerts.first() is X509TrustManager) {
builder.sslSocketFactory(sslSocketFactory, trustAllCerts.first() as X509TrustManager)
builder.hostnameVerifier { hostname, session -> true }
}
} catch (e: Exception) {
}

Secured connection in grpc

I have issues in connecting to my server using gRPC. The server uses certificate files(rpc.cert and rpc.key) to authenticate but i do not know how to include those files. Currently this is the code i use to connect
ManagedChannel channel = OkHttpChannelBuilder.forAddress("127.0.0.1", 9111)
.usePlaintext(true)
.build();
Using the above code throws this error
io.grpc.StatusRuntimeException: UNAVAILABLE: End of stream or IOExceptio
at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.jav
at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:202)
at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:131)
at com.dcrwallet.grpc.WalletLoaderServiceGrpc$WalletLoaderServiceBlo
at com.decrediton.MainActivity$2.onClick(MainActivity.java:86)
at android.view.View.performClick(View.java:5675)
at android.view.View$PerformClick.run(View.java:22641)
at android.os.Handler.handleCallback(Handler.java:836)
at android.os.Handler.dispatchMessage(Handler.java:103)
at android.os.Looper.loop(Looper.java:203)
at android.app.ActivityThread.main(ActivityThread.java:6285)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(Zygote
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:924)
Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:444)
at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate(OkHttpProtocolNegotiator.java:93)
at io.grpc.okhttp.OkHttpProtocolNegotiator$AndroidNegotiator.negotiate(OkHttpProtocolNegotiator.java:159)
at io.grpc.okhttp.OkHttpTlsUpgrader.upgrade(OkHttpTlsUpgrader.java:63)
at io.grpc.okhttp.OkHttpClientTransport$1.run(OkHttpClientTransport.java:429)
at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb036ce80: Failure in SSL library, usually a protocol error error:1000006b:SSL routines:OPENSSL_internal:BAD_ECC_CERT (external/boringssl/src/ssl/s3_clnt.c:957 0xa74a5d15:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:362)
I cannot find any documentation on using grpc okhttp in android. The gRPC documentation by google does not include that so i pretty much don't know what to do about the error.Thanks

Since the server expects TLS, you can't use plaintext. Normally, you don't need to do anything; grpc-java Channels default to using TLS:
ManagedChannel channel = OkHttpChannelBuilder.forAddress("127.0.0.1", 9111)
.sslSocketFactory(yourSslSocketFactory)
.build();
The client doesn't need any files to identify the server because the server's certificate should be signed by a trusted Certificate Authority (CA).
It's unclear by your question if this is the case though. If you are using a self-signed certificate or a custom CA to sign the certificate then SSLSocketFactory.getDefault(), which grpc-okhttp uses by default, likely will not accept the server's certificate.
In that rarer case, you will need to specify an SSLSocketFactory for gRPC to use:
ManagedChannel channel = OkHttpChannelBuilder.forAddress("127.0.0.1", 9111)
.sslSocketFactory(yourSslSocketFactory)
.build();
You would need to include a certificate in the client binary and the yourSslSocketFactory would need to reference that certificate for it's TrustManager. As an example (taken from some grpc tests):
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(theRawCert);
ks.setCertificateEntry("customca", cert);
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(ks);
SSLContext context = SSLContext.getInstance("TLS", provider);
context.init(null, trustManagerFactory.getTrustManagers(), null);
return context.getSocketFactory();

ParseObject test failed with security exception

I am following the quick start guide and I am getting an error for
private void parseServerTest(){

 ParseObject testObject = new ParseObject("TestObject");
testObject.put("foo","bar");

 testObject.saveInBackground(new SaveCallback() {
#Override

 public void done(ParseException e) {

 if(null != e){
e.printStackTrace();

 }else{

 Log.d(TAG,"no parse error.")
}
}


 });

}
Unless the instructions is missing something, I think I have done everything to the letter
In case it matters, my app is in development, and does not exist on the playstore yet: not even as a draft
Here is the error trace:
com.parse.ParseRequest$ParseRequestException: i/o failure
at com.parse.ParseRequest.newTemporaryException(ParseRequest.java:368)
at com.parse.ParseRequest$2.then(ParseRequest.java:206)
at com.parse.ParseRequest$2.then(ParseRequest.java:198)
at bolts.Task$14.run(Task.java:796)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
at java.lang.Thread.run(Thread.java:818)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:235)
at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:486)
at com.android.okhttp.Connection.upgradeToTls(Connection.java:1259)
at com.android.okhttp.Connection.connect(Connection.java:1197)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:392)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:295)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:373)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:106)
at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:208)
at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218)
at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:25)
at com.parse.ParseURLConnectionHttpClient.executeInternal(ParseURLConnectionHttpClient.java:42)
at com.parse.ParseHttpClient$ParseNetworkInterceptorChain.proceed(ParseHttpClient.java:155)
at com.parse.ParsePlugins$1.intercept(ParsePlugins.java:111)
at com.parse.ParseHttpClient$ParseNetworkInterceptorChain.proceed(ParseHttpClient.java:144)
at com.parse.ParseHttpClient.execute(ParseHttpClient.java:119)
at com.parse.ParseRequest$3.then(ParseRequest.java:195)
at com.parse.ParseRequest$3.then(ParseRequest.java:192)
at bolts.Task$14.run(Task.java:796)
at bolts.BoltsExecutors$ImmediateExecutor.execute(BoltsExecutors.java:105)
at bolts.Task.completeAfterTask(Task.java:787)
at bolts.Task.continueWithTask(Task.java:599)
at bolts.Task.continueWithTask(Task.java:610)
at bolts.Task$12.then(Task.java:702)
at bolts.Task$12.then(Task.java:690)
... 4 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:113)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:574)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:320)
... 29 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 35 more

There seems to be a time delay. I moved on to something else. And now four hours later, I run the very sam code and it works. I changed nothing. So there must be some sort of time delay for newly opened parse accounts.

Automated email sending failure in Android

By following all the steps mentioned in this POST; I am able to send emails programmatically from my android device using gmail credentials. But as soon as I switch to a third party SMTP provider (provided by my ISP), the program starts to throw the following exception:
javax.mail.MessagingException: Could not connect to SMTP host: cp-10.webhostbox.net, port: 465;
nested exception is:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1391)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:412)
at javax.mail.Service.connect(Service.java:310)
at javax.mail.Service.connect(Service.java:169)
at javax.mail.Service.connect(Service.java:118)
at javax.mail.Transport.send0(Transport.java:188)
at javax.mail.Transport.send(Transport.java:118)
at com.**.oms.utils.GMailSender.sendMail(GMailSender.java:66)
at com.**.oms.NewUserSignUp$1.run(NewUserSignUp.java:58)
at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
at java.lang.Thread.run(Thread.java:841)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409)
at com.android.org.conscrypt.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:661)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:632)
at com.sun.mail.smtp.SMTPTransport.initStreams(SMTPTransport.java:1449)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1366)
... 12 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:282)
at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
... 16 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 21 more
Below mentioned is the set of properties that I am setting (including the one to accept all the certificates):
Properties props = new Properties();
props.setProperty("mail.transport.protocol", "smtp");
props.setProperty("mail.host", mailhost);
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.debug", "true");
props.put("mail.smtp.port", "465");
props.put("mail.smtp.socketFactory.port", "465");
props.put("mail.smtp.ssl.checkserveridentity", false);
props.setProperty("mail.smtp.ssl.trust", "*");
props.put("mail.smtp.starttls.enable", true);
props.put("mail.smtp.socketFactory.class",
"javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.socketFactory.fallback", "false");
props.setProperty("mail.smtp.quitwait", "false");
As you can see I am already accepting all the certificates, still am getting this certificate error. Can someone please explain this behavior and the solution to the same.

First, get rid of all the socket factory stuff.
What version of JavaMail are you using? What does the JavaMail debug output show? If you're using an old version of JavaMail, it doesn't support the properties you're setting and you might need to use this approach.