In my server (production server), I have a goDaddy ssl certificate. I have both iOS and Android apps connecting with the server, iOS connecting with no problems, android with versions 4.* everything is good, but with devices with 2.3.* I always get a SSLHandshakeException.
I did exactly like on Android Developers page (https://developer.android.com/training/articles/security-ssl.html).
I already saw similar threads here in Stack Overflow (here) but none is helping.
Then I saw this thread talking about Extended Key Usage, but when debugging I get the following information:
[2]: OID: 2.5.29.37, Critical: false Extended Key Usage: [ "1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2" ]
So I guess the certificate is not “forcing” Extended Key Usage.
Also on this thread there are some other possible causes such as date/time being completely wrong, which are all not existent.
Taking that into consideration, I now don’t know where the problem might be.
Any suggestions?
EDIT: StackTrace below:
08-04 16:54:30.139: W/System.err(4832): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 08-04 16:54:30.149: W/System.err(4832): at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:161) 08-04 16:54:30.149: W/System.err(4832): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:664) 08-04 16:54:30.149: W/System.err(4832): at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method) 08-04 16:54:30.159: W/System.err(4832): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:474)
Advertisement
Answer
It looks like the issuer of your certificate is not in the trust store of the 2.3 devices.
Take a look at the root and intermediate ca’s of your GoDaddy certificate and check whether the certificates are present on your 2.3 device.
See http://www.andreabaccega.com/blog/2010/09/23/android-root-certification-authorities-list/ for obtaining a list of 2.3 certificates.
When only the root CA is available make sure that your webserver also serves the intermediate certificates upon request.