[MOD-2295] Appcelerator HTTPS module not working with android device

GitHub Issuen/a
Resolution Date2016-10-20T08:56:10.000+0000
Affected Version/sn/a
Fix Version/shttps 1.1.4
Labelsappcelerator, module
Reporterjayesh joshi
AssigneeChristopher Williams


Sub : Appcelrator HTTPS module error. I have written code for iOS certification pinning its working perfect. Now I run same code on android device but it goes in XHR error every time . Below is code and error description.
        if (url.indexOf("SSOURL") > -1) {
            var httpsCertificate = Alloy.CFG.STS_CERTIFICATE;
        } else {
            var httpsCertificate = Alloy.CFG.REST_CERTIFICATE;

	Ti.API.info('Certificate >>'+httpsCertificate);
    var securityManager = https.createX509CertificatePinningSecurityManager([{
        url : url,
        serverCertificate : httpsCertificate
	if (Ti.Network.online) {
		var xhr = Ti.Network.createHTTPClient({
			timeout : 40000,
			securityManager: securityManager
		xhr.open(method, url);
[ERROR] : TiHTTPClient: (TiHttpClient-3) [29516,35410] HTTP Error (javax.net.ssl.SSLHandshakeException): Leaf certificate could not be verified with provided public key [ERROR] : TiHTTPClient: javax.net.ssl.SSLHandshakeException: Leaf certificate could not be verified with provided public key [ERROR] : TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:322) [ERROR] : TiHTTPClient: at com.android.okhttp.Connection.upgradeToTls(Connection.java:201) [ERROR] : TiHTTPClient: at com.android.okhttp.Connection.connect(Connection.java:155) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:382) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:106) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:217) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getOutputStream(DelegatingHttpsURLConnection.java:218) [ERROR] : TiHTTPClient: at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:25) [ERROR] : TiHTTPClient: at ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1146) [ERROR] : TiHTTPClient: at java.lang.Thread.run(Thread.java:818) [ERROR] : TiHTTPClient: Caused by: java.security.cert.CertificateException: Leaf certificate could not be verified with provided public key [ERROR] : TiHTTPClient: at appcelerator.https.PinningTrustManager.checkServerTrusted(PinningTrustManager.java:84) [ERROR] : TiHTTPClient: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:116) [ERROR] : TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:550) [ERROR] : TiHTTPClient: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) [ERROR] : TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318) [ERROR] : TiHTTPClient: ... 11 more




  1. Sharif AbuDarda 2016-08-29 Hello, Send us a full reproducible code that regenerates the issue.
  2. Hans Knöchel 2016-08-29 [~shossain] No, that's something else (V8-update). In this case, the SSL-certificate is invalid.
  3. Hans Knöchel 2016-08-29 [~jay joshi] The error Leaf certificate could not be verified with provided public key already says what's incorrect. You may want to catch the error manually, but that's what happening.
  4. jayesh joshi 2016-08-30 I have the code and certificate those are correctly working in iOS But I run the same code and certificate in Android if Certificate are wrong than they should not work in iOS also. The first thing is SSL Handshake error means it try to connect to url but can not success so it goes in fail means onError of xhr request. Is there anything that specially I have to configure for Android purpose ? Need your support as we are totally depends on module !!
  5. jayesh joshi 2016-09-01 I have Sample code ready for test in that's request params we are having PROPRIETARY INFO that we can not add on public foram. I want to know secure communication way for this or Want to setup call with you for this. Please guide me Thank you in advance.
  6. Sharif AbuDarda 2016-09-05 Hello, I am running the project you have attached in the support portal. I am not getting the error that you have mentioned in the JIRA ticket. Please provide the complete steps to follow for successful regeneration. I am testing on Android 6.0.1 device. Thanks.
  7. jayesh joshi 2016-09-06 !https://postimg.org/image/4a430htn1/! This is screenshots !https://postimg.org/image/p5ism6kn9/!
  8. Sharif AbuDarda 2016-09-06 Hello, The screenshots are not visible. Please attach files here by clicking "more" drop down/ attach files. Thanks.
  9. jayesh joshi 2016-09-07 !screenshot-1.png|thumbnail!
  10. jayesh joshi 2016-09-07 !screenshot-2.png|thumbnail!
  11. Sharif AbuDarda 2016-09-07 Hello, I have again tested your sample app. I am seeing the below error in both studio console and ddms. I am not getting the TiHTTPClint error, [ERROR] : TiHTTPClient: (TiHttpClient-3) [29516,35410] HTTP Error (javax.net.ssl.SSLHandshakeException): Leaf certificate could not be verified with provided public key. Here are my logs. Studio console:
        [ERROR] :  TiHTTPClient: (TiHttpClient-7) [2179,833790] HTTP Error (java.net.UnknownHostException): Unable to resolve host "smartqc-sts.gep.com": No address associated with hostname
        [INFO] :   ------------------------onerror-------------------------{"source":{"location":"https://smartqc-sts.gep.com/REST/TOKENS","status":0,"tlsVersion":3,"timeout":40000,"domain":null,"responseText":"","allResponseHeaders":"","connectionType":"POST","validatesSecureCertificate":false,"statusText":null,"readyState":1,"username":null,"password":null,"apiName":"Ti.Network.HTTPClient","responseXML":null,"responseData":null,"autoRedirect":true,"autoEncodeUrl":true,"connected":false,"bubbleParent":true,"securityManager":{"bubbleParent":true,"apiName":"appcelerator.Https.PinningSecurityManager"},"_events":{"disposehandle":{}}},"error":"Unable to resolve host \"smartqc-sts.gep.com\": No address associated with hostname","code":-1,"success":false}
    DDMS Log:
        09-07 18:40:41.956: E/TiHTTPClient(28120): (TiHttpClient-8) [38427,872217] HTTP Error (java.net.UnknownHostException): Unable to resolve host "smartqc-sts.gep.com": No address associated with hostname
        09-07 18:40:41.956: I/TiAPI(28120):  ------------------------onerror-------------------------{"source":{"location":"https://smartqc-sts.gep.com/REST/TOKENS","status":0,"tlsVersion":3,"timeout":40000,"domain":null,"responseText":"","allResponseHeaders":"","connectionType":"POST","validatesSecureCertificate":false,"statusText":null,"readyState":1,"username":null,"password":null,"apiName":"Ti.Network.HTTPClient","responseXML":null,"responseData":null,"autoRedirect":true,"autoEncodeUrl":true,"connected":false,"bubbleParent":true,"securityManager":{"bubbleParent":true,"apiName":"appcelerator.Https.PinningSecurityManager"},"_events":{"disposehandle":{}}},"error":"Unable to resolve host \"smartqc-sts.gep.com\": No address associated with hostname","code":-1,"success":false}
    Am I missing something. I need to succesfully regenerate the issue for to pass the ticket to engineers to work on for a fix. I am testing on Android 6.0.1 device. Thanks.
  12. jayesh joshi 2016-09-08 I think your internet connection is not working.
  13. Sharif AbuDarda 2016-09-08
  14. jayesh joshi 2016-09-09 Hi Sharif, It isn't a problem with the certificates, because the same code with the same URLs and same certificates is working in iOS flawlessly. In fact, it has been tested and verified as well. The same code snippet when run in Android is causing a problem. If it were because of the certificate and URL issues, it wouldn't have worked in iOS either.
  15. jayesh joshi 2016-09-09 Hi , Sharif, Can you give us ETA for this ? We cross checked the certificates there are not any other certificates and we are using this for iOS too.
  16. jayesh joshi 2016-09-16 Hi, Is anyone looking into this issue? This has put a critical Android delivery to a key client for us on hold, and we need a sure-shot ETA on this ASAP. Is there any escalation that we can do to get this issue resolved sooner? Could someone please assist us on this?
  17. jayesh joshi 2016-09-20 Hi, Can any one give me more news about bug status ?
  18. Gary Mathews 2016-09-20 [~jay joshi] I believe you should be using Alloy.CFG.STS_CERTIFICATE for both requests, as that is the certificate that coincides with the host you are accessing. I think the bug lies with iOS not validating the public key correctly, it should throw the same exception.
  19. jayesh joshi 2016-09-25 @Gary Mathews I made a native ios app for this certification pinning sample, in that it is working fine. Below is the link. https://drive.google.com/open?id=0B7TnjzoJ6BXka0RjbkhEeWFVd2M In the Viewcontroller.m file in "willSendRequestForAuthenticationChallenge" function, if you change it to wrong certificate, then it does not work but with the right certificate it does. In case of android, the module is failing.
  20. jayesh joshi 2016-10-03 Can i have any update for similar ?
  21. Gary Mathews 2016-10-08
  22. jayesh joshi 2016-10-26 @Gary Mathews : I am testing it !! soon i will update more Thank you for support.
  23. Eric Merriman 2018-08-06 Cleaning up older fixed issues. If this issue should not have been closed as fixed, please reopen.

JSON Source