Hemant Vishwakarma: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate on Android 4.x and 5.x

I am running my app on Android 4.4.2 and it throws this error:

07-03 08:43:59.255 21643-21803/com.myapp W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.myapp.Util.Util$1.run(Util.java:242)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at java.lang.Thread.run(Thread.java:841)
07-03 08:43:59.475 21643-21643/com.myapp E/ViewRootImpl: sendUserActionEvent() mView == null

It works correctly on Android 6.x and above. Only Android 4.x and 5.x fail. I have not tried Android 3.x and below but I would be fine if I could only fix it for Android 4.x and 5.x. The interesting thing is that it used to work in the past and all of a sudden it stopped working without me changing the source code of the app. When I go to https://www.digicert.com/help/ to test my server SSL Certificate, everything passes:

DNS resolves <Domain> to <IP address>
HTTP Server Header: Apache

SSL certificate
Common Name =

Subject Alternative Names = <subdomain>.<Domain>, <Domain>, m.<Domain>, www.<Domain>

Issuer = COMODO RSA Extended Validation Secure Server CA

Serial Number = 5A34235B2A2B53B35354232B123B23C5

SHA1 Thumbprint = 98C357AC34A23B232134B2A4C23A2B23AC23A532

Key Length = 2048

Signature algorithm = SHA256 + RSA (excellent)

Secure Renegotiation: Supported

SSL Certificate has not been revoked
OCSP Staple:    Good
OCSP Origin:    Good
CRL Status: Good

SSL Certificate expiration
The certificate expires May 24, 2019 (325 days from today)

Certificate Name matches <Domain>

Subject 
Valid from 11/Jun/2017 to 24/May/2019
Issuer  COMODO RSA Extended Validation Secure Server CA


Subject COMODO RSA Extended Validation Secure Server CA
Valid from 12/Feb/2012 to 11/Feb/2027
Issuer  COMODO RSA Certification Authority


Subject COMODO RSA Certification Authority
Valid from 30/May/2000 to 30/May/2020
Issuer  AddTrust External CA Root
SSL Certificate is correctly installed
Congratulations! This certificate is correctly installed.

My SSL Certificate looks fine. I wonder why Android 4.x and 5.x are throwing this javax.net.ssl.SSLPeerUnverifiedException: No peer certificate error.

UPDATE 1: The SSL report shows that everything is fine with my SSL certificate. Why is Android complaining? This is the report:

I am using https://www.ssllabs.com/ssltest/

UPDATE 2: Reading https://developer.android.com/reference/javax/net/ssl/SSLPeerUnverifiedException.html#SSLPeerUnverifiedException(java.lang.String), what I understand is that the server was not able to identify itself. Why? I guess because in theory the server is missing the required peer certificate. It sounds like a contradiction if you see how when using https://www.ssllabs.com/ssltest/ in UPDATE 1, the SSL Report shows that my server passes certificate tests correctly.

UPDATE 3: My certificate authority (CA) is COMODO. My SSL report shows that everything is good with my SSL certificate: https://www.ssllabs.com/ssltest/analyze.html?d=cuponclub.net. When I make a server request from a web browser, everything is good: https://cuponclub.net/San-salvador/deals/json_index/. See how the HTTPS connection is successful, the certificate is valid from the browser and everything looks perfect. No errors on Android 6.x and above, but why is it that Android 4.x and 5.x keep complaining about my SSL certificate, throwing this error on the Android Studio logs when I try to compile my app on Android 4.x or 5.x?:

W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err:     at com.couponclub.Util.Util$1.run(Util.java:242)
W/System.err:     at java.lang.Thread.run(Thread.java:841)

UPDATE 4: Looking at the answers at Error in android application: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate, they suggest that the problem could be related to the Server Name Indication (SNI). When I use https://www.ssllabs.com/ssltest/ to analyze my site, I see this in the results in red:

Alternative names [................] MISMATCH Trusted No NOT TRUSTED Mozilla Apple Android Java Windows

Maybe my problem is related to this Server Name Indication (SNI) or the lack of it?

UPDATE 5: I am getting this "No SNI" in red from https://www.ssllabs.com/ssltest/. Maybe that is causing the problem?

from javax.net.ssl.SSLPeerUnverifiedException: No peer certificate on Android 4.x and 5.x

Hemant Vishwakarma

Sunday, 7 October 2018

javax.net.ssl.SSLPeerUnverifiedException: No peer certificate on Android 4.x and 5.x

No comments:

Post a Comment