Domain specific configurations require that hostname aware checkServerTrusted

Hi there,

I hope you could help me with this problem:

I’m getting this trace as Backendless fault message when I try to save an object, it’s important to say that I’m using emulator with google play(Nexus 5) from AVD in Android Studio. I’ve been working with this emulator and Genymotion before and I didn’t get that error and I could save objects without problem. So my question is: Is there any new change in the configuration for certificates to use with backendless?

    BackendlessFault{ code: 'Internal client exception', message: 'Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used', detail: 'javax.net.ssl.SSLHandshakeException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
	at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
	at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
	at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
	at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
	at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
	at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
	at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
	at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)
	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:258)
	at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218)
	at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:26)
	at weborb.client.ioEngine.HttpIOEngine.send(HttpIOEngine.java:195)
	at weborb.client.ioEngine.HttpIOEngine.invoke(HttpIOEngine.java:140)
	at weborb.client.WeborbClient.invoke(WeborbClient.java:138)
	at com.backendless.Invoker.invokeSync(Invoker.java:95)
	at com.backendless.Invoker$1.run(Invoker.java:71)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
	at java.lang.Thread.run(Thread.java:764)
Caused by: java.security.cert.CertificateException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:111)
	at weborb.client.ioEngine.EasyX509TrustManager.checkServerTrusted(EasyX509TrustManager.java:73)
	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:212)
	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
	at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
	... 21 more
', extendedData: '{}' }

Thanks in advance for your support.

Hi Samuel,

To be honest, I do not quite understand what the error means. You can check the validity of our certificate here (and other sites which do a SSL cert checks):
https://www.sslshopper.com/ssl-checker.html#hostname=api.backendless.com

Regards,
Mark

Hey, i got the same issue as reported, can any one know what to do for solutions,

Are you working with our Cloud version of Backendless? The one that is at api.backendless.com ?

No, i was using free version.

Free version of what? What is the version number?

version no of backendless ??

implementation ‘com.backendless:backendless:5.0.2’

It must be something with the client-side (the machine that runs the emulator). There are no known issues with the certificate on our side. You can check the validity of the certificate at: https://www.sslshopper.com/ssl-checker.html#hostname=api.backendless.com

but i tried in my personal device also, gives me same error…
Here the actual error
BackendlessFault{ code: ‘Internal client exception’, message: ‘Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used’, detail: 'javax.net.ssl.SSLHandshakeException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:355)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:193)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:150)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:319)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:245)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:473)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:262)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218)
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getOutputStream(Unknown Source:0)
at weborb.client.ioEngine.HttpIOEngine.send(HttpIOEngine.java:195)
at weborb.client.ioEngine.HttpIOEngine.invoke(HttpIOEngine.java:140)
at weborb.client.WeborbClient.invoke(WeborbClient.java:138)
at com.backendless.Invoker.invokeSync(Invoker.java:95)
at com.backendless.Invoker$1.run(Invoker.java:71)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
at java.lang.Thread.run(Thread.java:764)
Caused by: java.security.cert.CertificateException: Domain specific configurations require that hostname aware checkServerTrusted(X509Certificate[], String, String) is used
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:111)
at weborb.client.ioEngine.EasyX509TrustManager.checkServerTrusted(EasyX509TrustManager.java:73)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:207)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:592)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:351)
… 21 more
', extendedData: ‘{}’ }

As a workaround you can do the following in your code before you make the call to Backendless.initApp:

Backendless.setUrl( "http://api.backendless.com" );

Hi,

In my case the problem was:

Starting with Android P, non-encrypted text traffic (HTTP not encrypted) will be blocked by default and I was using Facebook Ads SDK(It uses HTTP not encrypted to caches its ads) so in order to mitigate this, it is possible to authorize unencrypted text traffic at the specific addresses with an xml configuration file for network security:
Android Network security config

Since I put that xml config file in my project Facebook Ads worked but Backendless didn’t… so lucky for me I could remove the Facebook Ads SDK from my project, so I did it and since I don’t use that XML all works like a charm.

I hope this could help.

I am also facing this issue… and I still need Facebook Ads SDK, so what can I do??
I thought it is related to WeborbClient logic, can you share the source code??

@Kilik_Dirty, are you asking how to switch the Backendless traffic to http:// ?

No, I facing the same issue, when I set a network security config for Facebook ads sdk, then the backendless Android SDK can not work normally. The error message is the same with this thread.

You can also reference to facebook document:
https://developers.facebook.com/docs/audience-network/android-network-security-config/

I thought it is related to the logic inside the WeborbClient.

I am using Android 9.0 device, following is the config file:

<?xml version="1.0" encoding="utf-8"?>
<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">127.0.0.1</domain>
</domain-config>

@Kilik_Dirty, are you getting the same error as described here?

yes… but the workaround will use “http”… it is not a good way…

Yes, that’s a workaround. The actual fix would be on the Facebook side (if/when they will ever learn about security)

I don’t think so… since REST API can work fine.
You can’t rely on Facebook fix

If rest works fine, that’s your other workaround.

As for Facebook, I am not convinced that the problem is on our side. You can see from the stack trace that we simply open a connection with the backend and the error comes from the inner workings of Android.

Which means… you didn’t debug in detail, I thought it is related to WeborbClient. Backendless team should investigate it and NOT JUST WANT WORKAROUND!