Introduction of Additional Certificate Authorities: Xamarin on Android failure Guidance

Problem statement

Cloudflare will introduce new Certificate Authorities (CA) for signing their certificates which may affect some Xamarin applications that are pinning old expired certificates. Using a platform with an outdated certificate manager that is not accepting the new CA and/or using an old version of OpenSSL (< 1.1.0 could have this issue).

Symptoms

Xamarin applications using the BoringSSL library may encounter errors accessing the tenant. Here are the details.

Solution

The easiest solution here is using AndroidClientHandler. This should use Android’s SSL library with Xamarin, which supports the LetsEncrypt cert with the new root all the way up to Android 4.1.

Project-wide configuration

The recommended way is to set the AndroidClientHandler globally:

Programmatic configuration

If you wish to set this programmatically, you need to ensure you set the SDK’s Backchannel to new Xamarin.Android.Net.AndroidClientHandler()

var options = new Auth0ClientOptions() {
  BackchannelHandler = new Xamarin.Android.Net.AndroidClientHandler()
};
var client = new Auth0Client(options);

Regardless of approach, we encourage reading through HttpClient Stack and SSL/TLS Implementation Selector for Android - Xamarin as it contains useful information about TLS 1.2 on Android when using Xamarin.

1 Like