Skip to main content

I ran into something that was a pretty hard problem to diagnose: the FSM Android mobile app was not working with HTTPS, but it was working with HTTP. The app doesn't really show exceptions when it fails to establish a connection, it just says: Incorrect service URL or network connectivity, which is accurate, but not very useful. If it showed exceptions it would have said: javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:Trust anchor for certificate path not found.

It took quite a bit of VPN, Firewall and server TCP tracing in order to recognise the issue was likely the TLS handshake and that the customer was using self signed certificates.The solution involved adding trust anchors for self signed certificates in the code (network_security_config.xml), which is a modification.

<trust-anchors>    <certificates src="system" />    <certificates src="user" /></trust-anchors>

Please note that the customer was already adding the CA into the local device and all other apps were already working. FSM wasn't because it was not instructed to validate user provided self signed authorities.

Additionally I left the code that shows exceptions in place in case we have future issues that we need to diagnose.

Hi Gui,

thanks for sharing this!

I faced such SSL issues as well when a self-signed certificate was used for FSM Mobile. At the end we ended up using certificates from a known-CA. Sometimes the same error was also shown when the certificate chain was incomplete on the hosting Server.

Eventually it’s worth to either report this via ticket to Support or create an idea to change the baseline code to allow self-sgined certificates.

 

Best regards
Roman


Reply