i'm facing problem when implementing ssl to my web. My web work as web services for android and ios. All goes very smooth until i implement the SSL certificates, suddenly the android (most of android except samsung) throw this error :
E/ErrorHTTP: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
then i google and landed to here :
google says about the error
support the google statement
work around for the error to accept the not valid ssl
it says that mostly happened because of :
The CA that issued the server certificate was unknown
The server certificate wasn't signed by a CA, but was self signed
The server configuration is missing an intermediate CA
Those three options already ruled out, i already check with ssl checker. Its none of those above, it's not unknown, it's not self signed, we're using comodo and the intermediates and root certificates also valid, you can check here : ssl checker for my link,
you can check it by yourself.
And now i'm stuck, the certificate is valid. The certificate also can open in samsung, but somehow fail in some other brand, for example xiao mi. I don't know where to look now, is it the :
the ssl configuration, i need to keep digging, even though it marked as valid in most validator.
make the android code more vulnerable, even some brand can access it, i mean is it because the brand or how ?.
The spec im using :
ASP .Net Core 2.0.
Kestrel.
Comodo certificates.
Native android.
Please help !, thank you.
WebAPI (built with .Net) is hosted on a server and called from iOS and Android apps using HTTPS. No changes has been made in certificates or otherwise. iOS app works fine, web app using the same api works fine but since this morning all Android apps (running on Android version 5x or less only) using the API has stared crashing with this error.
android.runtime.JavaProxyThrowable: System.AggregateException: One or more errors occurred. ---> System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
Checked certificates, certificate chain, everything. No issues. If the certificate is invalid, no other apps should be working and why all of a sudden. Can someone point to where to look. I searched this site and found a few threads but their solutions require changes in Android app code. That can't be done (and deployed) so quickly. Why all of a sudden, if someone can throw some light on it. Even nothing has been updated in our test Android devices.
Tested the server through ssllab and handshakes come on Android simulations:
Solved and the app on those older Android versions works now. I had to disable COMODO root certificate COMODO RSA Certification Authority with SHA1 key afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 in certificate manager everywhere it was. Apparently windows update added this and it was somehow conflicting and making an intermediate certificate not being sent from the server (in the second certificate chain, the first chain was ok). Normally if an intermediate certificate is not sent, clients download it from the issuer but Android mono framework apparently doesn't do that.
Thank you Adm Selec https://community.qualys.com/thread/15295 for the solution.
Apache server, followed the guide from here: https://www.startssl.com/Support?v=21
httpd.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/private.key"
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
Works fine in Chrome but Firefox yields the following error:
Error code: SEC_ERROR_UNKNOWN_ISSUER
Analysis at https://www.sslshopper.com/ssl-checker.html says the following:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
How can I make the chain valid?
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
... You may need to install an Intermediate/chain certificate to link it to a trusted root certificate
The SSLCertificateChainFile option was obsoleted in Apache version 2.4.8 and any chain certificates need to be added to SSLCertificateFile instead. Since you are using 2.4.23 based on your comment this means that this setting was ignored. This means that no chain certificates were sent to the client, causing the validation error. You should have gotten a message in the error logs though pointing out the invalid setting.
I guess you can not. Mozilla was planning to distrust certificates issued by StartSSL for a period of one year starting in October 2016. Better use Let's encrypt as StartSSL (also known as StartCom is in trouble). What you see is probably that happening.
If curious you can read up more:
WoSign and StartCom issues summary document.
mozilla.dev.security.policy › Remediation Plan for WoSign and StartCom.
I am trying to authenticate my android application over a https connection to the server.
I a getting the following exception while trying to authenticate. While looked up for solution, there were lots of suggestions about binding certificate with apk, ignoring the certificate validation etc.
Detailed StackTrace
The problem is, in few phones and emulators this authentication over https works perfectly fine. And in my phone as well as in my emulator it doesn't go through. So looks like its more of a device issue than code one.
Has anyone else have faced this kind of issue and sorted out?
The error meaning is: the SSL certificate chain (from the server certificate to a trust anchor in the Root CA store) has been rebuild by the application but the validation of this chain failed for any reason.
In the stacktrace the underlying error is java.security.NoSuchProviderException: AndroidOpenSSL. It means that the application tries to instantiate a signature validation object with a cryptographic provider which is not present in the android system. This error makes me thinking that it may be an android version issue.
Can you tell us the target API level used to build your application? And what are the versions of the terminals on which the application works and does not work?
I have Android 4.3 forced to use Charles proxy via IPTABLES.
The charles certificate is installed on the phone.
I am able to capture normal SSL traffic like https websites in the browser.
All POST and GET methods seem to work fine.
In a particular app, it fails when using the SSL CONNECT method.
URL: https://XX.XX.XXX.XXX/
Status: Failed
Failure: SSLHandshake: Received fatal alert: unknown_ca
Response Code: - Protocol: HTTP/1.0
Method: CONNECT
From iOS 10.3 you also need to go to Settings > General > About > Certificate Trust Settings and trust Charles certificate.
You can face with this problem at some applications like Facebook or Instagram.
Charles certificate doesn't work at some new apps because they are using a technique named as SSL-PINNING. First of all you have to break ssl-pinning system of application or you can instal old version of application then it sometimes works but we need a new solution about ssl pinning in order to record traffic for this kind of applications.
as #Berkay Yıldız says, it probably using ssl/certificate pinning.
how to fix/avoid/disable ssl pinning?
the whole logic is:
LEVEL 1: for normal http:
core logic:
PC:Mac/Windows
Charles set http proxy
set port
app use Charles proxy
inside Wifi, set
host IP
port
Note:
computer side, MUST use wired network, NOT wireless, otherwise mobile side network not usable
LEVEL 2: for encrypted https:
PC
install Charles root certificate
Mac:use Key Chain to trust Charles Root CA
Charles
Enable SSL Proxying
set location filter for your specific api address
phone
app
install Charles Root CA
Note: type should select: VPN and Application
NOT select:WLAN
makesure certificate install successfully
Trusted Credentials -> User, can see installed Charles certificate
LEVEL 3: for SPECIAL https which using ssl pinning:
Phone:
make sure root or jailbreak
Android:has rooted
for later to install tool: Xposed
iOS:has jail break
for later to install tool: Cydia
then install plugin/tool, capable of avoid/disable ssl pinning
Android:
JustTrustMe (based on Xposed)
Android-SSL-TrustKiller (Cydia Substrate)
iOS:
SSL Kill Switch 2 (based on Cydia)
old version:iOS SSL Kill Switch (based on Cydia)
more detailed summary please refer my post (written in Chinese): 1 and 2
Some folks my end up here with android N Devices that won't do SSL over charles even after installing the cert - now on http://chls.pro/ssl
In N - you need to also add an xml file and security config. This post goes into more details: How to get charles proxy work with Android 7 nougat?
I have met the same problem. And after installing the latest certificate, it is solved.
On your phone, visit http://charlesproxy.com/getssl to download the cert. Upon downloading the cert in android, it will prompt you to install the cert, give the cert a name and continue. It should now work.
Note: The sshould be similar on an iPhone
I got the following error when I was trying to install the cert on my Nexus 6p, Android 6.0. (I followed the instructions in charles and downloaded the cert via http://chls.pro/ssl.):
Couldn't install because the certificate file couldn't be read.
The solution to this problem was to install via:
Settings > Security > Install from storage
After navigating to the cert file and installing it everything worked as expected.
On this link http://www.charlesproxy.com/documentation/using-charles/ssl-certificates/ you have all the information you need on properly installing the Charles certificate.
After installing it you'll get rid of the "SSLHandshake: Received fatal alert: unknown_ca" error.
If you get this with an app using facebook login on an android phone, I got around it by uninstalling the fb app. Then the mobile fb web is used instead and I can charles everything. With the fb app installed the fb api fails with SSL error.
On Samsung phones, you should install the certificate by navigating to Biometrics and security/Other security settings/Install from device storage/CA Certificate.
I am using Charles 4.2.5 and Nexus 6P on Android 8.1.
One cannot use Charles to track https on my mobile phone.
Plz note that after Android N, we cannot capture normal SSL traffic of others'app.
Here is the official website of Charles.
https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/
Android As of Android N, you need to add configuration to your app in
order to have it trust the SSL certificates generated by Charles SSL
Proxying. This means that you can only use SSL Proxying with apps that
you control.
In order to configure your app to trust Charles, you need to add a
Network Security Configuration File to your app. This file can
override the system default, enabling your app to trust user installed
CA certificates (e.g. the Charles Root Certificate). You can specify
that this only applies in debug builds of your application, so that
production builds use the default trust profile.
Add a file res/xml/network_security_config.xml to your app:
Then add a reference to this file in your app's manifest, as follows:
...