Bug 47836 - Android: "Trust anchor for certification path not found." (w/ invalid cert on server side)
Summary: Android: "Trust anchor for certification path not found." (w/ invalid cert o...
Status: RESOLVED FIXED
Alias: None
Product: Android
Classification: Xamarin
Component: BCL Class Libraries ()
Version: 7.1 (C9)
Hardware: Other Linux
: --- major
Target Milestone: ---
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-11-24 13:33 UTC by Bernhard Urban
Modified: 2017-08-18 07:38 UTC (History)
6 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
repro for "Trust anchor for certification path not found." (5.80 MB, application/zip)
2016-11-24 13:33 UTC, Bernhard Urban
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Bernhard Urban 2016-11-24 13:33:38 UTC
Created attachment 18650 [details]
repro for "Trust anchor for certification path not found."

The attached android app does a request when clicking the button to https://performancebot.mono-project.com/api/health which works with C8 but fails on C9:

MonoDroid: UNHANDLED EXCEPTION:
MonoDroid: Javax.Net.Ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertPathValidatorException: Trust anchor for certification path not found.

full stack trace:
https://gist.github.com/lewurm/84e784455558497d1fcb17d750de366b


We do this fishy thing, because we don't have a valid certificate on the server side, so that's probably the culprit?

		public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy {
			public TrustAllCertificatePolicy () {
			}

			public bool CheckValidationResult (ServicePoint sp ,X509Certificate cert ,WebRequest req ,int problem) {
				return true;
			}
		}

		static HttpApi () {
			// remove when we have a valid SSL cert
			System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy ();
		}
Comment 1 Dave Friedel 2017-01-17 20:45:38 UTC
We are seeing this as well and not doing anything "fishy".  In our case we are using an Honor phone with a valid certificate with the following information:

Android: 6.0
Build: FRD-L04C567B162

The certificate that works:
https://www.screencast.com/t/WUhyLW5Bh

The certificate that fails:
https://www.screencast.com/t/QipxkblG
Comment 2 Dave Friedel 2017-01-18 01:44:01 UTC
I forgot the stacktrace:


Javax.Net.Ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertPathValidatorException: Trust anchor for certification path not found.
   --- End of inner exception stack trace ---
   --- End of inner exception stack trace ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <3dc9ed3d31194319991e686734adcb10>:0 
  at ModernHttpClient.NativeMessageHandler+<SendAsync>c__async0.MoveNext () [0x00345] in <51795dd1dbb344bdacae7208f448a6b3>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Net.Http.HttpClient+<SendAsyncWorker>c__async0.MoveNext () [0x000f3] in <6e92ad09d0bd49b996fe288564eee203>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <3dc9ed3d31194319991e686734adcb10>:0 
  at System.Runtime.CompilerServices.TaskAwaiter`1[TResult].GetResult () [0x00000] in <3dc9ed3d31194319991e686734adcb10>:0 
  at PlayerLync.Common.Data.Api.PlayerLyncAPIProvider+<PlayerLync-Common-Data-Api-IPlayerLyncApiProvider-ClientOnlyOAuthAccessTokenAsync>d__20.MoveNext () [0x0028e] in <c60311b35570421ebc98a6f05e20c480>:0 
  --- End of managed Javax.Net.Ssl.SSLHandshakeException stack trace ---
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
	at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:242)
	at com.squareup.okhttp.Connection.connect(Connection.java:159)
	at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:175)
	at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:120)
	at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:330)
	at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:319)
	at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:241)
	at com.squareup.okhttp.Call.getResponse(Call.java:271)
	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:228)
	at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:199)
	at com.squareup.okhttp.Call.access$100(Call.java:34)
	at com.squareup.okhttp.Call$AsyncCall.execute(Call.java:162)
	at com.squareup.okhttp.internal.NamedRunnable.run(NamedRunnable.java:33)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
	at java.lang.Thread.run(Thread.java:818)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
	at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:113)
	at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525)
	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
	... 16 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
	... 22 more
Comment 3 John Miller [MSFT] 2017-06-30 19:15:14 UTC
Thank you for taking the time to submit the bug. We are unable to reproduce this issue with the attached project and Xamarin.Android 7.3. Please let me know if there are some other steps to take and if you can confirm that 7.3 works for you. Thanks!
Comment 4 Bernhard Urban 2017-08-18 07:38:31 UTC
7.3 works for me, thanks.