Android Question OkHttp and Android 4 - javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

biometrics · Sunday at 6:46 PM

We recently upgraded our web server from Ubuntu 16.04 to Ubuntu 24.04 and the version of Nginx that came with them at the time.

We have a hundred remote devices that can not connect to the new web server since the upgrade. They are all Android 4. It seems Android 4 and modern OpenSSL are not compatible.

The current OkHttp library requires Android 5 but I managed to get the older OkHttp library files from B4A 11.2 which runs on Android 4. I can now at least make a HTTP connection. But HTTPS still gives an error, the remote sites report: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate. My test device at my office reports: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL Handshake aborted.

The web server certificate is correct and passes online test. It contains the domain, intermediary and root certificates, in that order.

I've tried the Build Configuration Conditional Symbol: HU2_ACCEPTALL and got the same error.

Is it possible to get HTTPS working again?

I've read suggestions like:

1. Embed the server certificate in the app - is there an example of how to do that?
2. Use a reverse proxy server to relay device HTTP to server HTTPS and in reverse. Adds more complexity.
3. Open port 80 on the web server and firewall and update the app to use HTTP - our network team will be unhappy about that.

biometrics · Sunday at 9:37 PM

The timeline might be a bit confusing...

These devices are running 5 year old software, so will have the Android 4 compatible OkHttp.

Now that I want to fix the app I discovered the OkHttp Android version issue. But that's been solved.

So we can compile our code but only connect by HTTP and we need HTTPS.

Erel · 2026-05-25T05:41:13+0100

It is probably related to the server TLS version. Only v1.0 or v1.1 are supported.

biometrics · 2026-05-25T07:04:00+0100

Erel said:
It is probably related to the server TLS version. Only v1.0 or v1.1 are supported.

They are enabled. The new server is set up the same as the old.

Nginx config:

protocols TLSv1 TLSv1.1 TLSv1.2;

Erel · 2026-05-25T08:24:58+0100

Might be some other compatibility issue. Maybe related to SNI. If you can use http with Android 4 then it is probably doesn't worth the effort to find the correct configuration.

teddybear · 2026-05-25T08:59:29+0100

biometrics said:
I've read suggestions like:

1. Embed the server certificate in the app - is there an example of how to do that?
2. Use a reverse proxy server to relay device HTTP to server HTTPS and in reverse. Adds more complexity.
3. Open port 80 on the web server and firewall and update the app to use HTTP - our network team will be unhappy about that.

Perhaps Suggestion 2 is the best choice. you just need to add a reverse proxy server.

biometrics · 2026-05-25T14:09:39+0100

Looks like I found a solution, yay!

So I tried the SslIssueFixed code here: https://www.b4x.com/android/forum/threads/ssl-websocket-client.88472/page-2#post-560196

But it didn't work on the weekend. Thought I should try it again.

On the weekend the Google Play services was at version 2.0.12. When I checked now it had updated itself to 12.6.85. I guess by invoking it it caused a background update.

With this version and HU2_ACCEPTALL I can now connect over HTTPS from the Android 4 devices to the new server.

YAY!

Can one download Google Play services 12.6.85 and do a manual update?

Erel · 2026-05-25T15:32:22+0100

biometrics said:
Can one download Google Play services 12.6.85 and do a manual update?

No.

You can try this: https://www.b4x.com/android/forum/threads/check-and-install-google-play-services.84813/#content

biometrics · 2026-05-25T15:39:29+0100

Erel said:
No.

You can try this: https://www.b4x.com/android/forum/threads/check-and-install-google-play-services.84813/#content

Thanks will try it out. You said it tries to help the user out, how does that work? Is there a user dialog or does it do it in the background?

Erel · 2026-05-25T15:48:05+0100

Yes: https://developers.google.com/andro...lePlayServicesAvailable(android.app.Activity)

biometrics · 2026-05-25T18:17:03+0100

Erel said:
No.

You can try this: https://www.b4x.com/android/forum/threads/check-and-install-google-play-services.84813/#content

This worked (with a dialog) except it wants you to log into a Google account and it fails to do so. Is there a way to do it without it logging in?

biometrics · 2026-05-25T19:42:59+0100

Is this possible?

1. Embed the server certificate in the app - is there an example of how to do that?

biometrics · 2026-05-25T19:50:58+0100

So TLS1 and TLS1.1 are blocked by our server. Probably the cause and @Erel was right in post #3. It's enabled in out Nginx config but Ubuntu 24.04/OpenSSL3 blocks it. Ssllabs.com shows only TLS1.2 is open.

Using Google Play Services for TLS1.2 is a great option but we don't have a way to upgrade it from v2 to v10 on demand.

Android Question OkHttp and Android 4 - javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

biometrics

Active Member

biometrics

Active Member

Erel

B4X founder

biometrics

Active Member

Erel

B4X founder

teddybear

Well-Known Member

biometrics

Active Member

Erel

B4X founder

biometrics

Active Member

Erel

B4X founder

biometrics

Active Member

biometrics

Active Member

biometrics

Active Member

Similar Threads

Android Question OkHttp and Android 4 - javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

Active Member

Active Member

B4X founder

Active Member

B4X founder

Well-Known Member

Active Member

B4X founder

Active Member

B4X founder

Active Member

Active Member

Active Member

Similar Threads

Privacy & Transparency

Privacy & Transparency