HTTPS Certificate sometimes failing in Android WebView

Question

I have a webview in Android. When I'm redirecting from an http site to an https site hosted by a client, I'm getting intermittent HTTPS/SSL failures.

Failure Logs:

com.company.myapp  D  AppWebViewClient -> analyzeURL : 1936 : 2016/10/24 5:36:29 : URL: https://client.website.com/ApplicationRegPage/createAccount
com.company.myapp  D  AppWebViewClient -> onReceivedSslError : 1936 : 2016/10/24 5:36:30 : Received SSL Error
com.company.myapp  D  AppWebViewClient -> onReceivedSslError : 1936 : 2016/10/24 5:36:30 : SSL Error::https://client.website.com/ApplicationRegPage/createAccount:: primary error: 3 certificate: Issued to: CN=client.website.com,OU=MIT,O=Client\,
                                   Inc,L=Mounds View,ST=Minnesota,C=US;
com.company.myapp  D  Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US;
com.company.myapp  D   on URL: https://client.website.com/ApplicationRegPage/createAccount

com.company.myapp  D  AppWebViewClient -> printCertificate : 1936 : 2016/10/24 5:36:30 : Expanding Certificate: Issued to: CN=client.website.com,OU=MIT,O=Client\, Inc,L=Mounds View,ST=Minnesota,C=US;
com.company.myapp  D  Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US;
com.company.myapp  D  AppWebViewClient -> printCertificate : 1936 : 2016/10/24 5:36:30 : Issued by
com.company.myapp  D  AppWebViewClient -> printDName : 1936 : 2016/10/24 5:36:30 : DName: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
com.company.myapp  D  AppWebViewClient -> printDName : 1936 : 2016/10/24 5:36:30 : CName: Symantec Class 3 Secure Server CA - G4
com.company.myapp  D  AppWebViewClient -> printDName : 1936 : 2016/10/24 5:36:30 : OName: Symantec Corporation
com.company.myapp  D  AppWebViewClient -> printDName : 1936 : 2016/10/24 5:36:30 : UName: Symantec Trust Network

com.company.myapp  D  AppWebViewClient -> printCertificate : 1936 : 2016/10/24 5:36:30 : ValidNotAfter: Wed May 31 23:59:59 GApp+00:00 2017
com.company.myapp  D  AppWebViewClient -> printCertificate : 1936 : 2016/10/24 5:36:30 : ValidNotBefore: Wed May 04 00:00:00 GApp+00:00 2016

Success Logs:

com.company.myapp  D  AppWebViewClient -> analyzeURL : 1665 : 2016/10/24 5:28:44 : URL: https://client.website.com/ApplicationRegPage/createAccount
com.company.myapp  D  AppWebChromeClient -> onConsoleMessage : 1665 : 2016/10/24 5:28:46 : Console Msg: https://client.website.com/ApplicationRegPage/createAccount::179:: Uncaught ReferenceError: dstb is not defined
com.company.myapp  D  AppWebViewClient -> onPageFinished : 1665 : 2016/10/24 5:28:47 : Finished loading: https://client.website.com/ApplicationRegPage/createAccount
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : HTTPS SSL Certificate for URL
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : URL: https://client.website.com/ApplicationRegPage/createAccount
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : Expanding Certificate: Issued to: CN=client.website.com,OU=MIT,O=Client\, Inc,L=Mounds View,ST=Minnesota,C=US;
com.company.myapp  D  Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US;
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : Issued by
com.company.myapp  D  AppWebViewClient -> printDName : 1665 : 2016/10/24 5:28:47 : DName: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
com.company.myapp  D  AppWebViewClient -> printDName : 1665 : 2016/10/24 5:28:47 : CName: Symantec Class 3 Secure Server CA - G4
com.company.myapp  D  AppWebViewClient -> printDName : 1665 : 2016/10/24 5:28:47 : OName: Symantec Corporation
com.company.myapp  D  AppWebViewClient -> printDName : 1665 : 2016/10/24 5:28:47 : UName: Symantec Trust Network
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : ValidNotAfter: Wed May 31 23:59:59 GApp+00:00 2017
com.company.myapp  D  AppWebViewClient -> printCertificate : 1665 : 2016/10/24 5:28:47 : ValidNotBefore: Wed May 04 00:00:00 GApp+00:00 2016

I've read various "fixes" for this "primary error: 3 certificate" that involves various configuration changes on the Android WebView object. Including here my configuration (I've already tried not setting the DOM Storage)

protected void configureWebView(WebView mWebView) {
    mWebView.getSettings().setJavaScriptEnabled(true);
    mWebView.setWebViewClient(getWebViewClient());
    mWebView.setScrollBarStyle(WebView.SCROLLBARS_OUTSIDE_OVERLAY);
    mWebView.getSettings().setBuiltInZoomControls(true);
    mWebView.getSettings().setDomStorageEnabled(true);
    // Chrome
    mWebView.setWebChromeClient(getWebChromeClient());
}

These failures are random. I have seen the error occur 1 in 10 site loads this morning. Unfortunately my client is seeing it closer to 50% of the time. I tend to see this error more often on initial launches (or fresh app installs, or freshly installed updates to the app from Android Studio), but my client seems to see it much more randomly.

Answer 1

This seems to be related to a recent regression in Chrome and mainly WebView. Please see

https://bugs.chromium.org/p/chromium/issues/detail?id=664177

To solve the problem you can upgrade to a M54 Stable WebView.

Answer 2

Months ago I had an issue with Android 6.0 TLS implementation that broke Tyrus 1.12 (WebSocket lib). In fact, Android broke Tyrus dependency, that is Grizzly 2.3.22 (HTTP/NIO lib). The problem is described here. The solution was a workaround in Grizzly itself, making calls to Android TLS library in a more carefully manner.

Android bug seems to be this one.

As for Marshmallow WebView, I suggest you to intercept HTTPS requests and deal with the TLS handshake yourself, instead of delegating it to the WebView. You could use a TLS library that circumvents the Android bug, like Grizzly 2.3.24 or later.