Skip to content

Failed to verify TLS certificate on older android versions

I am testing conjure PT on android. Looks like older android versions can't use it due to outdated system CA certificates. They cannot be updated on android. I can confirm that conjure PT does not work on android versions: 4.4.2, 6 and 7. Also I can confirm that it works well on android 10.

I can't test it on all android versions, but in my experience it should work starting from android 8. The solution might be to use another server certificate that uses a different CA certificate chain that can work on older android versions.

Tor logs:

Tor version 0.4.7.13-dev
Jun 12 13:52:55.000 [notice] Tor 0.4.7.13-dev (git-aef76beccc6b7422) opening log file.
Jun 12 13:52:55.111 [notice] We compiled with OpenSSL 1010113f: OpenSSL 1.1.1s  1 Nov 2022 and we are running with OpenSSL 1010113f: 1.1.1s. These two versions should be binary compatible.
Jun 12 13:52:55.112 [notice] Can't get entropy from getrandom(). You are running a version of Tor built to support getrandom(), but the kernel doesn't implement this function--probably because it is too old? Trying fallback method instead.
Jun 12 13:52:55.147 [notice] Tor 0.4.7.13-dev (git-aef76beccc6b7422) running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1s, Zlib 1.2.8, Liblzma 5.2.4, Libzstd 1.4.9 and Unknown N/A as libc.
Jun 12 13:52:55.147 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Jun 12 13:52:55.148 [notice] Read configuration file "/data/user/0/pan.alexander.tordnscrypt/app_data/tor/tor.conf".
Jun 12 13:52:55.160 [notice] Opening Socks listener on 127.0.0.1:9050
Jun 12 13:52:55.161 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Jun 12 13:52:55.161 [notice] Opening Socks listener on [::1]:9050
Jun 12 13:52:55.161 [notice] Opened Socks listener connection (ready) on [::1]:9050
Jun 12 13:52:55.161 [notice] Opening DNS listener on 127.0.0.1:5400
Jun 12 13:52:55.161 [notice] Opened DNS listener connection (ready) on 127.0.0.1:5400
Jun 12 13:52:55.161 [notice] Opening DNS listener on [::1]:5400
Jun 12 13:52:55.161 [notice] Opened DNS listener connection (ready) on [::1]:5400
Jun 12 13:52:55.161 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
Jun 12 13:52:55.161 [notice] Opened Transparent pf/netfilter listener connection (ready) on 127.0.0.1:9040
Jun 12 13:52:55.161 [notice] Opening HTTP tunnel listener on 127.0.0.1:8118
Jun 12 13:52:55.161 [notice] Opened HTTP tunnel listener connection (ready) on 127.0.0.1:8118
Jun 12 13:52:55.000 [notice] Parsing GEOIP IPv4 file /data/user/0/pan.alexander.tordnscrypt/app_data/tor/geoip.
Jun 12 13:52:56.000 [notice] Parsing GEOIP IPv6 file /data/user/0/pan.alexander.tordnscrypt/app_data/tor/geoip6.
Jun 12 13:52:59.000 [notice] Bootstrapped 0% (starting): Starting
Jun 12 13:53:11.000 [notice] Starting with guard context "bridges"
Jun 12 13:53:11.000 [notice] Delaying directory fetches: No running bridges
Jun 12 13:53:13.000 [notice] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
Jun 12 13:53:13.000 [notice] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
Jun 12 13:53:13.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Jun 12 13:53:14.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:53:25.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:53:37.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:53:48.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:00.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:11.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:22.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:34.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:45.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.
Jun 12 13:54:57.000 [notice] Managed proxy "/data/app/pan.alexander.tordnscrypt-1/lib/arm/libconjure.so": retrying conjure registration, station is under high load.

Conjure logs:

[13:52:55] Redirecting log to file
2023/06/12 13:52:55 Started SOCKS listener at 127.0.0.1:53094
2023/06/12 13:53:13 SOCKS accepted: {143.110.214.222:80 url=https://registration.refraction.network.global.prod.fastly.net/api;front=cdn.sstatic.net  map[front:[cdn.sstatic.net] url:[https://registration.refraction.network.global.prod.fastly.net/api]]}
2023/06/12 13:53:13 Attempting to connect to bridge at 143.110.214.222:80
2023/06/12 13:53:13 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:53:13] [0-5c548b] Shared Secret  - 5c548bcfa3c507462c7ec8ddcc0612be24f7b4e258ac1839e1691862d623533c
[13:53:13] [0-5c548b] covert 143.110.214.222:80
[13:53:13] [0-5c548b] Representative - 08cddf001af8635e5dc3a896ebb780a32f010356f1f502985070fc0950e1e30f
2023/06/12 13:53:13 Performing a Conjure registration with domain fronting...
2023/06/12 13:53:13 Conjure station URL:  https://registration.refraction.network.global.prod.fastly.net/api
2023/06/12 13:53:13 Domain front:  cdn.sstatic.net
2023/06/12 13:53:13 Buffering 517 bytes to send later
[13:53:13] https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional failed to do HTTP request to registration endpoint Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:13Z is after 2021-09-30T14:01:15Z: %!v(MISSING)
[13:53:13] error in registration attempt: Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:13Z is after 2021-09-30T14:01:15Z
[13:53:13] all registration attempt(s) failed
[13:53:14] [0-5c548b] Failed to register: registration failed
2023/06/12 13:53:14 Error registering with station: registration failed
2023/06/12 13:53:14 This may be due to high load, trying again.
2023/06/12 13:53:24 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:53:24] [1-a87390] Shared Secret  - a87390c5399ab78a6fb17f09ecf3ea7444d364ee65576e8928c8a3b2dc7e8a1e
[13:53:24] [1-a87390] covert 143.110.214.222:80
[13:53:24] [1-a87390] Representative - 0b38d037950b53ecf89053cf511f758184ab3a877cf769b6688ea07c2b9aee25
2023/06/12 13:53:24 Performing a Conjure registration with domain fronting...
2023/06/12 13:53:24 Conjure station URL:  https://registration.refraction.network.global.prod.fastly.net/api
2023/06/12 13:53:24 Domain front:  cdn.sstatic.net
[13:53:24] https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional failed to do HTTP request to registration endpoint Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:24Z is after 2021-09-30T14:01:15Z: %!v(MISSING)
[13:53:24] error in registration attempt: Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:24Z is after 2021-09-30T14:01:15Z
[13:53:24] all registration attempt(s) failed
[13:53:25] [1-a87390] Failed to register: registration failed
2023/06/12 13:53:25 Error registering with station: registration failed
2023/06/12 13:53:25 This may be due to high load, trying again.
2023/06/12 13:53:35 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:53:35] [2-cba7dd] Shared Secret  - cba7ddaa18c1616152d244a896e592de9d2873ced08bc564cda63bcd4b94b511
[13:53:35] [2-cba7dd] covert 143.110.214.222:80
[13:53:35] [2-cba7dd] Representative - 0af1cf2edcde1dec33f039b1e04945d464bcf1c607dc3093defcf38078be820e
2023/06/12 13:53:35 Performing a Conjure registration with domain fronting...
2023/06/12 13:53:35 Conjure station URL:  https://registration.refraction.network.global.prod.fastly.net/api
2023/06/12 13:53:35 Domain front:  cdn.sstatic.net
[13:53:36] https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional failed to do HTTP request to registration endpoint Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:36Z is after 2021-09-30T14:01:15Z: %!v(MISSING)
[13:53:36] error in registration attempt: Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:36Z is after 2021-09-30T14:01:15Z
[13:53:36] all registration attempt(s) failed
[13:53:37] [2-cba7dd] Failed to register: registration failed
2023/06/12 13:53:37 Error registering with station: registration failed
2023/06/12 13:53:37 This may be due to high load, trying again.
2023/06/12 13:53:47 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:53:47] [3-734a09] Shared Secret  - 734a0907c1c863400745b4f63722c19b27aef09932bf6bf9aac3c519670e306c
[13:53:47] [3-734a09] covert 143.110.214.222:80
[13:53:47] [3-734a09] Representative - 441342aed9923edecdeab0c601e3dc163b58da135c817e4a9be5dcd6baaa3f8d
2023/06/12 13:53:47 Performing a Conjure registration with domain fronting...
2023/06/12 13:53:47 Conjure station URL:  https://registration.refraction.network.global.prod.fastly.net/api
2023/06/12 13:53:47 Domain front:  cdn.sstatic.net
[13:53:47] https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional failed to do HTTP request to registration endpoint Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:47Z is after 2021-09-30T14:01:15Z: %!v(MISSING)
[13:53:47] error in registration attempt: Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:47Z is after 2021-09-30T14:01:15Z
[13:53:47] all registration attempt(s) failed
[13:53:48] [3-734a09] Failed to register: registration failed
2023/06/12 13:53:48 Error registering with station: registration failed
2023/06/12 13:53:48 This may be due to high load, trying again.
2023/06/12 13:53:58 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:53:58] [4-30a195] Shared Secret  - 30a195ebd23fab6dfae6810fdef7f33762288ce6eb98ccca141a404c1a456b49
[13:53:58] [4-30a195] covert 143.110.214.222:80
[13:53:58] [4-30a195] Representative - 5c86fe6853e252229fb3b89759e50e32a0c57f7df05c6b1e71953a297c852228
2023/06/12 13:53:58 Performing a Conjure registration with domain fronting...
2023/06/12 13:53:58 Conjure station URL:  https://registration.refraction.network.global.prod.fastly.net/api
2023/06/12 13:53:58 Domain front:  cdn.sstatic.net
[13:53:59] https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional failed to do HTTP request to registration endpoint Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:58Z is after 2021-09-30T14:01:15Z: %!v(MISSING)
[13:53:59] error in registration attempt: Post "https://cdn.sstatic.net/api/register-bidirectional": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-06-12T13:53:58Z is after 2021-09-30T14:01:15Z
[13:53:59] all registration attempt(s) failed
[13:54:00] [4-30a195] Failed to register: registration failed
2023/06/12 13:54:00 Error registering with station: registration failed
2023/06/12 13:54:00 This may be due to high load, trying again.
2023/06/12 13:54:10 Using the registration API at https://registration.refraction.network.global.prod.fastly.net/api
[13:54:10] [5-791e3c] Shared Secret  - 791e3cdebf38b7ea83b9ed5e79940dd76faeeea2db27c2ac265419a477f3101f
[13:54:10] [5-791e3c] covert 143.110.214.222:80
[13:54:10] [5-791e3c] Representative - 57f244948be55576ea255fd5f05588cfaa16f6e474b44a3feaef11bc35dbe2ae
2023/06/12 13:54:10 Performing a Conjure registration with domain fronting...
2023/06/12 13:54:10 Conjure station URL:  https://registration.refraction.network

Version 0a7df066