Android Certificate Revocation Checking
I am hoping I can leverage everyone's knowledge on this one as I am at a lose.
I have an Android 10 Device connecting to a containerized web application that is secured by a custom Certificate Authority. The OCSP addresses in the certificates are currently set to static IP addresses internal to the containers due to development set up requirements, but the CRL Distribution Points are set to the IP addresses connectable from outside the containers. The web application operates fine with all the checks it needs being inside the containers.
The Android 10 Device has the Root CA public certificate installed as a User Security Certificate and a certificate that will be passed up the connection for Client Authentication on the web server's side. As a note, this has previously worked fine in a VM set up, but we're switching over to containers.
The problem I am running into is that the HTTPS connection on the Android 10 Device cannot validate the path for the chain passed to it (Web Server, SubCA, & Root CA) and so drops the connection before sending its certificate. Verification checks aren't happening at all according to Wireshark. I would expect the OCSP to fail due to those addresses not existing outside the containers, but Android doesn't try to connect to the CRL Distribution Points either. I have verified they are able to be connected using a browser to download the CRL manually.
Is there a setting I need to tell it to use CRLs over OCSP for the connection (I know this is a possibility for the web server, but I have never seen it used on Android)? Or is there a way to have multiple OCSP responder addresses in the certificate (I am pretty sure this is not possible, but it has been suggested as a solution)? Any assistance on this would be greatly appreciated. Thank you.
Edit: The server is not using OCSP Stapling. The checks are OCSP calls to the CA OCSP Responders.
Previously, the Device would receive the certificates and calls were made by the underlying system to verify the server chain using the addresses in the certificate.
These are the calls not being made in the new setup. There is a port that is identical except it does not require client authentication, and the device is able to connect to this one initially (which would mean to me that the installed certificate for the root CA is working to allow the trust).
After more testing, I have found is unable to connect to this port either once the Device's certificate is placed in the SSL Context to be passed back to the server. Is it possible I am somehow overriding the OS's trust manager so it is unable to get the trusted certificate from the device?
