Android SSL certificate validation fails when APK is cross-compiled from Linux, works when compiled from Windows

[Memphizzz]

Description

When building a .NET MAUI Android app that makes HTTPS requests, the SSL certificate validation
behaves differently depending on the host OS used for compilation:

• Built on Windows: SSL works correctly, HTTPS connections succeed
• Built on Linux: SSL certificate validation fails with SSLHandshakeException / CertificateException

This occurs with the exact same source code, same .NET SDK version (10.0.100), same target framework
(net10.0-android), and connecting to a server with a valid Let's Encrypt certificate.

The certificate chain was verified valid using openssl s_client and works in the Android browser.

Logcat output from Linux-built APK:
javax.net.ssl.SSLHandshakeException
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
...
Caused by: java.security.cert.CertificateException
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:290)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)

Steps to Reproduce

Steps to Reproduce:

1. Create a .NET MAUI app with HttpClient making HTTPS requests
2. Build the Android APK on Windows: dotnet publish -f net10.0-android -c Release
3. Install and test - HTTPS works correctly
4. Build the same code on Linux (e.g., Ubuntu in Docker or GitHub Actions): dotnet publish -f
   net10.0-android -c Release
5. Install and test - SSL certificate validation fails with CertificateException

Expected outcome: Both APKs should have identical SSL behavior since they're built from identical
source code

Actual outcome: Linux-built APK fails SSL validation, Windows-built APK works

Link to public reproduction project repository

No response

Version with bug

10.0.0-preview.7

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

Android

Affected platform versions

Android 15 (OnePlus Open, OxygenOS)

Did you find any workaround?

Yes - build the Android APK on Windows instead of Linux.

We changed our GitHub Actions workflow from:

  runs-on: ubuntu-latest
  container:
    image: android-builder-docker-image

To:
runs-on: windows-latest

This produces working APKs with correct SSL behavior.

Relevant log output

# From logcat on Android 15 device with Linux-built APK:

  javax.net.ssl.SSLHandshakeException
     at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:358)
     at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1131)
     at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1086)
     at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:873)
     at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:744)
     at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:709)
     at com.android.org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:237)
  Caused by: java.security.cert.CertificateException
     at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:290)
     at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1635)
     at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)

  # Certificate verification (same server, passes validation):
  $ openssl s_client -connect server.example.com:443 -showcerts
  depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
  verify return:1
  depth=1 C=US, O=Let's Encrypt, CN=E8
  verify return:1
  depth=0 CN=server.example.com
  verify return:1
  Verify return code: 0 (ok)

[jonathanpeppers]

What is the difference between the two build logs? Windows vs Linux?

Can you share the .binlog files here? https://aka.ms/binlog

I would guess the difference is between what is installed on the two machines?

[Memphizzz]

Sorry, I'm in the middle of moving internationally, please allow me until December to provide the binlogs.

[dotnet-policy-service]

Hi @@Memphizzz. We have added the "need-info" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[jonathanpeppers]

If this gets auto-closed, feel free to reopen when you have info, thanks!

[dotnet-policy-service]

Hi @@Memphizzz. Due to inactivity, we will be closing this issue. Please feel free to re-open this issue if the issue persists. For enhanced visibility, if over 7 days have passed, please open a new issue and link this issue there. Thank you.