问题
I need connect to my server API with TLS_v1, server certificate signed by CA that not include in older version of android so i use this Google's document to implement custom TrustManager. Everything work on API 18 and above, but throw SSLHandshakeException in JELLY_BEAN(API 17):
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
I have another server URL and certificate (in this case self-signed) that works even in JELLY_BEAN with same TrustManager implementation !!
I'm using OkHttp 2.4 for HTTPS client. I'm confusing what's goes wrong ?
Updated: this is result of SSLLabs :
intermediate and root TurkTrust CA (shown in above) was added to my TrustManager.
回答1:
A possible explanation is that the server requires Server Name Indication (SNI) to send the proper certificate back and sends only some default certificate if SNI is not used. Thus the client would not get the expected certificate and the validation would fail.
According to the documentation OkHTTP should support SNI, but a recent report indicates otherwise. In the Changelog I cannot see when it was added. It might also be that support depends on the underlying libraries.
EDIT: based on the report from SSLLabs which was added to the question it is now clear that the problem is a missing intermediate certificate at the server. This is shown in the report by
Chain Issues: Incomplete, Extra Download, ....
In this case it will not help if the client has explicitly added the root CA (Türktrust Elektronik Sertifika...), because due to the missing intermediate CA (Türktrust SSL Sertifikasi Hizmitleri) no trust chain can be build from the leaf certificate of the site to the root certificate. From the report can also be seen that the server not only fails to include the chain certificate but that the server also adds some certificate which does not belong to the chain at all. Thus my guess is that there was an attempt to include a chain certificate but the wrong one was used and apart from that at the wrong place (after the root instead of after the lead certificate).
While some desktop browsers work around such problem most mobile browsers will not work around this server side misconfiguration and also the SSL apis for python, PHP, Java,... will also fail. Therefore this is a problem which need to be fixed at the server.
来源:https://stackoverflow.com/questions/36843098/sslhandshakeexception-in-api-17-jelly-bean-when-using-custom-ca