Android 4.4 certificate trust store is somewhat incomplete

REPRODUCIBILITY: 100%
BUILD ID: 3.3.0.16
HARDWARE (Jolla1, Tablet, XA2,…): Sony Xperia X
UI LANGUAGE: German
REGRESSION: Unknown

UPDATE: My original message was wrong! I had done some “experimentation” that seeming did nothing when indeed it have an effect, it just had been the opposite of what I expected. After reverting this, I get the more believable issue described below…

DESCRIPTION:

Upon installing the Android app “AntennaPod” and restoring my list of Podcasts from my previous Android installation, I noticed that I am unable to download any episodes from some feeds. After some further investigation this turns out to be because of certificate errors. Affected domains include:

  • www. rbb-online. de (signed by DFN-Verein Global Issuing CA, signed by T-TeleSec GlobalRoot Class 2 from 2008)
  • cdn. podigee. com (signed by COMODO RSA Certification Authority from 2010)

The affected domains work without issues when opening them on the SailfishOS Browser or using Fennec (Firefox for Android). They also do not work when opening them in any WebView-based Android browser such as Lightning (just happened to be the first promising entry I found on F-Droid when looking for a browser app to test with).

It is not really clear to me why only these domains are affected and not many others.

(Go ask the admins if you wanna know why I messed up all the addresses.)

PRECONDITIONS:

None

STEPS TO REPRODUCE:

  1. Install any Android app using the (Android) system certificate store for TLS
  2. Connect to one of the sites above using HTTPS

EXPECTED RESULT:

Should work without any issues

ACTUAL RESULT:

Certificate error / “Download error” / something similar reported

ADDITIONAL INFORMATION:

logcat output from AntennaPod
I/APQueueCleanupAlgorithm(14015): Auto-delete deleted 0 episodes (113 requested)
D/AlienPowerManagerInterface( 6625): alienPMSetScreenState -> false
D/DownloadRequester(14015): downloadMedia() called with: performAutoCleanup = [true], #items = [1]
D/DownloadRequester(14015): partiallyDownloadedFileExists: true
D/DownloadRequester(14015): Requesting download of url https://www.rbb-online.de/[redacted]
D/DownloadService(14015): parallel downloads: 4
D/DownloadService(14015): Service started
D/DownloadSvcNotification(14015): Notification set up
D/downloadCompletionThd(14015): downloadCompletionThread was started
D/DownloadService(14015): Received enqueue request. #requests=1, cleanupMedia=true
D/DBReader(14015): getNumberOfDownloadedEpisodes() called with: 
D/DBReader(14015): getDownloadedItems() called
D/AlienPowerManagerInterface( 6625): alienPMSetScreenState -> true
D/DBReader(14015): getFavoriteIDList() called
D/DBReader(14015): getQueueIDList() called
D/DBReader(14015): Extracting Feedlist
I/APQueueCleanupAlgorithm(14015): Auto-delete deleted 0 episodes (22 requested)
D/DBReader(14015): getFeedItem() called with: itemId = [3544]
D/DBReader(14015): Loading feeditem with id 3544
D/DBReader(14015): getFavoriteIDList() called
D/DBReader(14015): getQueueIDList() called
D/DBReader(14015): Extracting Feedlist
D/DBReader(14015): getQueueIDList() called
D/DownloadService(14015): Writing file url
D/DBReader(14015): getFeedItem() called with: itemId = [3544]
D/DBReader(14015): Loading feeditem with id 3544
D/DBReader(14015): getFavoriteIDList() called
D/DBReader(14015): getQueueIDList() called
D/DBReader(14015): Extracting Feedlist
D/ItemlistFragment(14015): onEventMainThread() called with: event = [DownloadEvent{update=DownloaderUpdate{downloaders=[de.danoeh.antennapod.core.service.download.HttpDownloader@e72129e0], feedIds=[], mediaIds=[3544]}}]
D/AntennapodHttpClient(14015): Creating new instance of HTTP client
D/DownloadService(14015): 1 downloads left
D/DownloadService(14015): Setting up notification updater
D/HttpDownloader(14015): addHeader("Accept-Encoding", "identity")
E/HttpDownloader(14015): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(14015): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(14015):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409)
W/System.err(14015):    at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:320)
W/System.err(14015):    at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:284)
W/System.err(14015):    at okhttp3.internal.connection.RealConnection.connect(SourceFile:169)
W/System.err(14015):    at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:258)
W/System.err(14015):    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:135)
W/System.err(14015):    at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:114)
W/System.err(14015):    at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121)
W/System.err(14015):    at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:93)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121)
W/System.err(14015):    at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147)
W/System.err(14015):    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:127)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121)
W/System.err(14015):    at de.danoeh.antennapod.core.service.download.HttpDownloader$BasicAuthorizationInterceptor.intercept(SourceFile:325)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147)
W/System.err(14015):    at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121)
W/System.err(14015):    at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:250)
W/System.err(14015):    at okhttp3.RealCall.execute(SourceFile:93)
W/System.err(14015):    at de.danoeh.antennapod.core.service.download.HttpDownloader.download(SourceFile:100)
W/System.err(14015):    at de.danoeh.antennapod.core.service.download.Downloader.call(SourceFile:46)
W/System.err(14015):    at de.danoeh.antennapod.core.service.download.Downloader.call(SourceFile:15)
W/System.err(14015):    at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(14015):    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:422)
W/System.err(14015):    at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err(14015):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(14015):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(14015):    at java.lang.Thread.run(Thread.java:841)
W/System.err(14015): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(14015):    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:282)
W/System.err(14015):    at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)
W/System.err(14015):    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611)
W/System.err(14015):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(14015):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
W/System.err(14015):    ... 31 more
W/System.err(14015): Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
W/System.err(14015):    ... 36 more
D/HttpDownloader(14015): onFail() called with: reason = [ERROR_IO_ERROR], reasonDetailed = [java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.]
D/downloadCompletionThd(14015): Received 'Download Complete' - message.
E/DownloadService(14015): Download failed