Error Reason: 2001; App does not work anymore

[gagamail]

EDIT: Corona-Warn-App Open Source Team

Solved: See FAQ:

• DE https://www.coronawarn.app/de/faq/#cause2001
• EN https://www.coronawarn.app/en/faq/#cause2001
• In-App error notification will be linked to FAQ

---

ORIGINAL POST

Avoid duplicates

• Bug is not mentioned in the FAQ
• Bug is specific for Android only, for general issues / questions that apply to iOS and Android please raise them in the documentation repository
• Bug is not already reported in another issue

Describe the bug

When I open the App I immediatley get the error message "Ursache: 2001 an error occured while trying to establish a secure connection to the server". This results in a not working App. Deinstalling and restarting did not help. Last confirmed working of the App was on July, 20th, first time I saw the error was on July, 23rd. In between I did not start the App.

Expected behaviour

The App should work

Steps to reproduce the issue

Starting the App is enough, I did not do anything specific and I did not change anything on my own on my Smartphone since the App is not working anymore.

Technical details

• Mobile device: Samsung Galaxy Note 8 SM-N950F
• Android version: 9, July security patch
• CWA version: 1.1.1

Possible Fix

No idea

Additional context

My first thought was that Blokada changed something. Deactivating Blokada did not help. And even if so I am not willing to deactivate it completely (CWA is on the Allowed Apps list) as the App worked with it before.

---

Internal Tracking ID: EXPOSUREAPP-10944

[SebastianWolf-SAP]

Thanks for the report. We've also been getting similar reports from Play Store comments. Reports from there show that

• it seems to be unrelated from rooting/modifications, personal firewalls or similar measures
• it seems to be independent from the used network (wi-fi or cellular)
• it might be related to the latest update 1.1.1 as some people report that it occurs only since the latest update

Quotes from Play Store:

Initially, but for several days (even after reinstallation) a "Cause 2001" error worked: a secure connection to the server could not be established. EDIT: The error suddenly appeared / without changing the network, is in all WLAN networks, and also in mobile data mode. EDIT 2: the device was not modified and no firewall was installed. Resetting the network settings did not solve the problem

Until the update - all errors correcting - the app ran really well. No error message or similar. However, since the update: Error: CAUSE 2001. Rien ne va plus! No more risk assessment. This is how the app helps me - especially when the number of cases increases again. Please troubleshoot here. Then I also like to upgrade.

Unfortunately now without function. Something has been made worse, now it only shows that something went wrong. Cause of error 2001. Under "Details" there follows a cryptic error message. Android 9, Samsung S8. No blockers active. Own WiFi without restrictions. And before I get any tips like updating: I have installed version 1.5. Theoretically should correct errors, but in practice does the opposite. I uninstalled the app first.

After the update to 1.1.1 only error message 2001 comes. Even a restart of the cell phone brought no improvement. Risk determination is active, risk status is only displayed after the error message. Cause 2001 is displayed. Something went wrong. I am logged in to my own WLAN and have not made any changes to the network. Even a new installation did not bring any improvement. After the risk determination has been switched off, the error message disappears.

A different error after each update. Now after the latest update on 07/25/2020 "Cause 2001" on Huawei P8 Android 6.0. an error occured while trying to establish a secure connection to the server. Tried 3 different WLANs as well as cell phones. All unsuccessful. With another device - Samsung J3 - it works in the same networks.

The following error message appears when the APP is called: CAUSE: 2001 Something went wrong an error occured while trying to establish a secure connection to the server What can I do? Thank you for your help_______________________________ Edit: Unfortunately a restart does nothing to change this behavior. ___________________________________________ Edit: The error has occurred since the update to version 1.1.1. Lenovo Moto G5. Android 8.0.1, Google Play Store 21.0.17-all, services 20.24.14

The following error message appears when the APP is called: CAUSE: 2001 Something went wrong an error occured while trying to establish a secure connection to the server What can I do? Thank you for your help. The device has been restarted several times since it first appeared. The error always comes reliably since the update to version 1.1.1

Reported devices (all on CWA 1.1.1):

• moto g(6) (ali_n), Android 9
• OnePlus5, Android 10
• Huawei P30 Pro (HWVOG), Android 10
• Huawei P8 Android 6.0
• Galaxy S8 (dreamlte), Android 9
• HTC U11 (htc_ocndugl), Android 9
• Moto G (5th Gen) (cedric), Android 8.1

As reports are increasing, we will address this with high priority to product management to prioritize analyses and a fix.

Mit freundlichen Grüßen/Best regards,
SW
Corona Warn-App Open Source Team

[thomasaugsten]

@gagamail Can you please contact me directly to provide more details about the network setup

[vaubaehn]

@thomasaugsten @gagamail
Hi, gagamail listed Android July Patch for his device settings.
The July Patch also consists of Qualcomm fixes that seem to affect wifi.
May there be any (timely) relation to the July Patch?
https://source.android.com/security/bulletin/2020-07-01?hl=en

[gagamail]

@thomasaugsten @gagamail
Hi, gagamail listed Android July Patch for his device settings.
The July Patch also consists of Qualcomm fixes that seem to affect wifi.

The SM-N950F is the version with the Samsung Exynos Processor and not Qualcomm Snapdragon. So I guess it can't be related?

May there be any (timely) relation to the July Patch?
https://source.android.com/security/bulletin/2020-07-01?hl=en

According to the logfiles I installed the last upgrade (i don't think there was any other upgrade besides the July Patch) on July, 28th which would mean it already did not work without July Patch.

[DerPlankton13]

Hi all,
I am effected by this bug as well (last working was the 20th July as well).
Since the error message gives more details hinting in the direction of the error, I wanted to provide some information from it. Unfortunately I am not allowed to take a screenshot of the error message and will thus not type the whole error stack.
The full error message starts with:

Etwas ist shiefgelaufen.
Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: an error occurred while trying to establish a secure connection to the server

And it ends with:

Caused by: java.securit.cert.CertPathValidatorException: Trust anchor for certification path not found.

I hope this helps :)

Cheers

[vaubaehn]

Hi @gagamail , thanks for clearing up!

According to the logfiles I installed the last upgrade (i don't think there was any other upgrade besides the July Patch) on July, 28th which would mean it already did not work without July Patch.

So, any problems with 2001 related to that patch can be completely excluded then.
And you are right, Qualcomm for that model is US market only. Anyway, there were also some Samsung internal fixes and Android kernel fixes. However, doesn't play any role here.

[vaubaehn]

Hi @DerPlankton13 , thanks for your report!
You mentioned that app was working well until July 20th.
Interestingly, around July 21st/22nd, CWA-server 1.2.0 was released...
May there be any correlation, @thomasaugsten @EvgeniiSkrebtcov ?

[thomasaugsten]

Hi,
the issues is the app cannot verify the ssl certificate of the diagnosis key server (Introduced with v1.1.1). This can caused by multiple things.

1. Date/Time is not correct.
2. Android Root/CA certificates are not up to date
3. Antivirus App is breaking the ssl chain
4. Network/Firewall tool like pi-hole is breaking the ssl chain

Maybe you can provide a screenshot of
Open Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

[vaubaehn]

maybe any problem in server certificate pinning?

[gagamail]

1. Date/Time is not correct.

Is correct.

2. Android Root/CA certificates are not up to date

I have one certificate which is not up to date. Thats an old Deutsche Telekom Root CA 2 which I needed in the past for WLAN access.

3. Antivirus App is breaking the ssl chain

No Antivirus App installed

4. Network/Firewall tool like pi-hole is breaking the ssl chain

In my home WLAN I have a pi-hole, but the App also does not work outside of this WLAN. On the smartphone I have Blokada which I completely deactivated. Before July 21st the App worked with both activated.

[thomasaugsten]

@gagamail Can you remove the old CA and test again?

[gagamail]

@gagamail Can you remove the old CA and test again?

Looks like I can't. I don't find a possibility to deinstall it, according to what I found with google it is not possible to completely remove a WLAN CA. But it is (and was before) dectivated.

[kira99]

Redmi Note 7

[thomasaugsten]

Hi Kira,
can you provide a screenshot of
Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

[kira99]

[kira99]

Hi Kira,
can you provide a screenshot of
Settings
Tap “Security & location”
Tap “Encryption & credentials”
Tap “Trusted credentials.”

Did my screenshots help? If not, can you give me a hint where to find the settings?

[thomasaugsten]

@kira99
Settings->Additional Settings->Privacy->Trusted Credentials
Is the button "Clear credentials" active?

[kira99]

There is no additional settings in the App visible. Only settings. In settings everything is on. My operating system MIUI is in German. But I could not find any similar settings to credentials. Where do I have to look?

[thomasaugsten]

I mean the Android Settings not the App Settings

[kira99]

Sorry, MIUI does not show this. The settings UI is not Android standard. I looked up privacy. There is not setting for credentials and I even have already activated developer mode for MIUI.

[thomasaugsten]

Ok maybe you can try
Settings->Privacy & security -> Privacy->Trust agents
Settings->Privacy & security -> Privacy->Encryption Credentials->Trusted Credentials
Settings->Privacy & security -> Privacy->Encryption Credentials->User Credentials

[kira99]

Or did you mean this?

[akuckartz]

@kira99 "Vertrauenswürdige Anmeldedaten" seems to be what you should look for.

[thomasaugsten]

Hi thanks for your help.
The setting: Vertrauenswürdige Anmeldedaten is empty?
Ok this helps. I deleted one your screenshots because of privacy reasons

[mlenkeit]

@Stonebubble ok, thanks for the clarification 👍

[vaubaehn]

@Stonebubble Thanks, yes, then it's related to the issue 2 days ago. For now it looks like you won't be able to receive the Monday's test result in the app anymore. Do you need further assistance?

[Stonebubble]

@vaubaehn No, that's all. Thank you ( ꈍᴗꈍ)

[Berengar13]

Still exact same for me as for harry-g in december Today 21/01/2022
Tested at 17:15 scanned 18:20 certificates installed and active no firewall no matter mobile or wifi quite annoying

Still exact same for me as for @dor-bw and @bienzle.

*  the exact error as described above occured (Ursaxche 2001, T-Systems certificate)

*  the "QR code ungültig" appeared, exactly as in above screenshots

 
* nothing in the recycle bin

* app was not uninstalled

* after that only, also tried to delete app data and uninstall, also does not help

Any news about this issue?

[mirabilos]

I got a 2001 but the certificate is enabled. The reason was for me, as far as I could figure out from the traceback, a handshake error. Sony Xperia S, Android 7.1.2

[dsarkar]

Hi @mirabilos @Berengar13,

Thanks for reporting. You are using latest version CWA 2.16?

Best wishes, DS

---

Corona-Warn-App Open Source Team

[mirabilos]

@dsakar sorry, in my case it’s 2.11.2.0 from F-Droid

[da-Rob]

Dear all,
suddenly on two phones Motorola brand. Version CWA 2.16.2 ENF Version 182148150000 both fail to operate risk monitoring feature (Risikoermittlung).

URSACHE: 2001 Etwas ist schiefgelaufen.
Bitte aktivieren Sie das SYSTEM Sicherheitszertifikat T-Systems Enterprise Services GmbH, T-TeleSec GlobalRoot Class 2 auf Ihrem Gerät. Mehr Informationen finden Sie in den FAQs auf https://coronawarn.app unter "URSACHE 2001".

First only one phone (moto g(7) power, Android 10) was affected, since yesterday the second (Moto Z (2) Android 9).

Certificate on given hints was active and also de-activating and re-activating did not fix the issue.
Re-installation of CWA did not fix the problem.
Phone 1 Android 10:

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:288)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:111)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7047253b48: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x70bd957e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more

Phone 2 Android 9:

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:798)
Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:286)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:111)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:5)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
... 25 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error
error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 24 more

Thank you for looking into this.

da Rob

[MikeMcC399]

@da-Rob
I see in the stack trace OPENSSL_internal:WRONG_VERSION_NUMBER
CWA Android uses TLS 1.2 and 1.3 according to HttpModule.kt.

What happens if you try to access https://www.coronawarn.app on a webbrowser on your mobile device? Is it successful or do you get an error message?

Is there any difference to the app error if you are connected on WiFi or on a mobile connection?
Has there been any network change involving firewalls, antivirus software, proxy servers, etc. that you know about?

[da-Rob]

Hey @MikeMcC399 thank you for your reply.
You have been right. When the Phone 2 (Android 9) was on mobile data connection it seemed to connect. There the Guest WiFi of FRITZ!Box might have filtered too strictly by firewall measures.
While Phone 1 (Android 10) did not see the guest WiFi apparently, it was working when I used Phone 2 to create a local hotspot by mobile data.

Seems to be fixed here now, while the AVM settings of firewall for CWA should affect a high amount of users.

Though: Thank you for the moment, still I was puzzled by the cryptic error messages and that the straight forward way (Re-activate certificate) did not work out.

Improvement point: Add to URSACHE 2001 also hint to "Try using mobile data connection."

[Edit]
Maybe it is due to the block of "www.t-online.de" in the content filter settings. Might that affect the "T-Systems" certificate, then?
[/Edit]

Thank you and best regards
da Rob

[vaubaehn]

@da-Rob and all,

[Edit]
Maybe it is due to the block of "www.t-online.de" in the content filter settings. Might that affect the "T-Systems" certificate, then?
[/Edit]

I had a quick check, and the reason why it is blocked via "Fritz Box Gastzugang" is a bit unfortunate:
For guest access via fritz box, there is a standard configuration of open ports, blocked web sites and the activated usage of the parental control filter (BPjM). And: port 443 is blocked, obviously to allow fritz box to make use of the BPjM module (reading unencrypted packets for keywords)... The host/owner of the fritz box would need to add port 443 to the allowed ports (via filter lists), but then listening on traffic for the BPjM module is likely not possible anymore.

@dsarkar Is this something we should add to the FAQ? "Gastzugang" -> "#cause2001" and "Port 443" -> "#access-list"

@mlenkeit
We now have 4 different error reasons:

1. java.securit.cert.CertPathValidatorException: Trust anchor for certification path not found (caused possibly by malformed certificate chain)
2. java.io.EOFException: connection closed (someone pulled the plug in the server room)
3. java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.lang.String.toUpperCase(java.util.Locale)' on a null object reference (root cause unknown; occured as a temporary problem. Caused by mobile provider? Or TSI tried something with server certificate?)
4. javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x716920e988: Failure in SSL library, usually a protocol error // error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER (external/boringssl/src/ssl/tls_record.cc:242 0x7169cf9e07:0x00000000) (root cause: port 443 blocked. Possible other reason: TSL malconfiguration on client (something is wrong with OS))

Only error no. 1 fits to the current '2001 dialog'.

[MikeMcC399]

@da-Rob
It's good you were able to resolve your problem1

The FAQ article [Google/Android]: CAUSE: 2001, trying to establish a secure connection to the server does refer to [Google/Android]: Firewall/Router configuration: CAUSE: 4000, error during web request, HTTP status 901 where the list of access points is published.

If there is a need to improve either of those articles, then I suggest to open a new issue for the website content using https://github.com/corona-warn-app/cwa-website/issues.

[illifee]

Hallo,
bei mir ist das Problem heute zum 1. Mal aufgetreten.
Das Sicherheitszertifikat ist bereits aktiv, ich habe keine Firewall und es funktioniert nicht egal ob im WLan oder über Mobilfunk.
Ich habe allerdings ebenfalls eine Fritzbox mit Gastzugang.
Bin nicht sehr IT-affin, daher benötige ich bitte Hilfe.

[Fkultra-boop]

Hey, Problem tritt seit heute auf. Gestern zum ersten Mal einen PCR-Tests gescannt.
Handy: OnePlus 5t
Es macht keinen Unterschied ob WiFi oder mobile Daten.
Sicherheitszertifikat ist aktiv.

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:110)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:674)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:551)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:617)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:640)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:507)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:426)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:354)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:224)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:407)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 38 more

[JanMarcusEskes]

Guten Tag, auch bei mir (Note 10 + SM-N976B, Sicherheitspatch 1.Mai 2022, Android 12) tritt es seit heute auf. Alle Systemzertifikate sind aktiviert. Kann das Zertifikat (also im SSL Sinne, nicht CWA-Zertifikat) abgelaufen sein oder sowas?
Über Mobil und WLan keine Verbindung BEIM HINZUFÜGEN eines Tests möglich. Die App läuft abseits des nicht-hinzufügens jedoch völlig normal.

Mit freundlichen Grüßen
Jan-Marcus Eskes

[StefanR22]

Bei mir der selbe Fehler.
Weder über Mobilfunk noch WLAN funktioniert es.
Zertifikat ist aktiviert. Firewall gibt es nicht.

Ursache:
de.rki.coronawarnapp.exception.CwaWebSecurityException: An error occurred while trying to establish a secure connection to the server
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:25)
at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:12)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:920)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:731)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:25)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:27)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:110)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:20)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:228)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:36)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.HttpErrorParser.intercept(HttpErrorParser.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.RetryInterceptor.intercept(RetryInterceptor.kt:3)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.kt:4)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:14)
at de.rki.coronawarnapp.http.interceptor.WebSecurityVerificationInterceptor.intercept(WebSecurityVerificationInterceptor.kt:3)
... 6 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:672)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:638)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:353)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
... 31 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 47 more

[mlenkeit]

We're looking into it...

[mlenkeit]

@illifee @Fkultra-boop @JanMarcusEskes @StefanR22 Danke für die schnelle Meldung!

Besteht das Problem weiterhin oder tauch der Fehler inzwischen nicht mehr auf? Falls doch, würde uns auch die Versionsnummer der CWA helfen.

Wir haben verschiedene mögliche Ursachen für diese Fehlermeldung geprüft, konnten aber bislang auf unseren Servern nichts auffälliges beobachten und können den Fehler zum jetzigen Zeitpunkt nicht Nachstellen.

[JanMarcusEskes]

Bei mir klappt es jetzt wieder, vielen Dank.
Was war das Problem, wenn man fragen darf (bin Softwareentwickler, interressiert mich nur)?

[mlenkeit]

Bei mir klappt es jetzt wieder, vielen Dank. Was war das Problem, wenn man fragen darf (bin Softwareentwickler, interressiert mich nur)?

Die Fehlermeldung taucht auf, wenn der Server mit einem anderen SSL-Zertifikat (bzw. -kette) antwortet als erwartet (auch bekannt als Certificate Pinning).

Warum das allerdings heute morgen passiert ist, ist leider noch unklar. Wir bleiben dran. Die Tatsache, dass es jetzt wieder zu funktionieren scheint, deutet auf ein temporäres Problem in der Infrastruktur hin.

[Fkultra-boop]

@illifee @Fkultra-boop @JanMarcusEskes @StefanR22 Danke für die schnelle Meldung!

Besteht das Problem weiterhin oder tauch der Fehler inzwischen nicht mehr auf? Falls doch, würde uns auch die Versionsnummer der CWA helfen.

Wir haben verschiedene mögliche Ursachen für diese Fehlermeldung geprüft, konnten aber bislang auf unseren Servern nichts auffälliges beobachten und können den Fehler zum jetzigen Zeitpunkt nicht Nachstellen.

Funktioniert jetzt wieder.
Dankeschön!

[illifee]

Bei mir funktioniert auch wieder alles :-)

[Ein-Tim]

I have a user on Twitter reporting this issue. @thomasaugsten has the team any assumption in which circumstances (besides of an incident) this message is shown?

[Ein-Tim]

@mlenkeit

Die Fehlermeldung taucht auf, wenn der Server mit einem anderen SSL-Zertifikat (bzw. -kette) antwortet als erwartet (auch bekannt als Certificate Pinning).

Könnte eine mögliche Ursache sein, dass ein Server ein veraltetes/falsches SSL-Zertifikat hat & wenn der Load Balancer diesen Server für die Anfrage pickt bekommt der Nutzende diese Fehlermeldung?

[thomasaugsten]

This happens when the establishment of a proper SSL is failing. The faq gives information to check the ssl certificate on client side

[Ein-Tim]

@thomasaugsten For the user the pop up just popped up randomly and after clicking on "OK" the app works as expected. After restarting the app the pop up does not appear again.