DEV Community

Enya Emmanuel
Enya Emmanuel

Posted on • Updated on

How to Fix issue of SSL Handshake Exception on Android

Recently I was working on a chat application for the android platform, everything regarding the remote/networking implementation worked flawlessly. I used the Retrofit networking library and socket.io. At the time, the base url was without SSL (that is the HTTP scheme - http://api.example.com)

Just before we rolled out the MVP for beta testing, we acquired a domain name and enabled SSL on the server. This meant the base URL scheme became HTTPS (e.g https://api.example.com).

The change on the app to use a secured URL broke the entire app. All the endpoints were not connecting to the server successfully. Basically the network handshake process between the client and server wasn't successful. Below is what the the error on the log was like



<-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.


Enter fullscreen mode Exit fullscreen mode

After doing a little research I discovered it was an issue with the server certificate not being trusted by the android system. This could be because of any of the reasons below:

  1. The Certificate Authority (CA) that issued the server certificate was unknown.

  2. The server certificate wasn't signed by a CA, but was self signed.

  3. The server configuration is missing an intermediate CA.

In my case, this issue existed because the server certificate was self signed.

From android documentation there is a clean way to configure the app to trust your own self-signed certificates, which I will outline in 3 steps.

Step 1

Add the crt file to the raw folder.

This file will be retrieved from the server. You can request for the digital certificate from the backend engineer. It should come in a .crt extension.

crt file

Step 2

Create an XML network security config file (network_security_config.xml) like below:

XML network security config file

network_security_config.xml



<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">api.example.com</domain>
<trust-anchors>
<certificates src="@raw/certificate" />
</trust-anchors>
</domain-config>
</network-security-config>

Enter fullscreen mode Exit fullscreen mode




Step 3

Specify the network configuration settings in the Manifest.xml file of your application.

android manifest file

With these 3 steps done, you should connect seamlessly with the backend without any further issues.

Top comments (2)

Collapse
 
archana_gogi_dev profile image
Mobile_dev_techie

This fixed my issue.

Collapse
 
pickle780 profile image
pickle780

This really helped me to fix with "Trust anchor for certification path not found."
So how can It sign by itself?