media icon indicating copy to clipboard operation
media copied to clipboard
verified publisher icon androidx

How to configure Zscaler with AndroidX Media?

Open jpgpuyo opened this issue 7 months ago • 4 comments

Hello,

I'm using Zscaler with AndroidX Media.

When Zscaler is enabled, I have issues with SSL exception.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

I have tried to provide the root certificate in network_security_config.xml but still failing:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <debug-overrides>
            <trust-anchors>
                <certificates src="@raw/corporate_certificate" />
                <certificates src="user" />
                <certificates src="system" />
            </trust-anchors>
        </debug-overrides>
    </base-config>
</network-security-config>

This network security config works for other network calls (for instance, network calls related to firebase), but this configuration is not working for exoplayer.

Any hint?

Should I try to apply some configuration to exoplayer datasources similar to this issue? https://github.com/androidx/media/issues/2161

Thanks!

jpgpuyo avatar May 30 '25 20:05 jpgpuyo

Which HTTP stacks have you tried? https://developer.android.com/media/media3/exoplayer/network-stacks

This seems unlikely to be an issue specific to media3, i.e. you will likely see the same error if you try and make a network call using the same HTTP stack that you have configured media3 to use.

icbaker avatar Jun 02 '25 16:06 icbaker

I have tried only with android built in network stack DefaultDataSource.Factory(context). I will try with other network stacks and I will provide feedback.

Thanks!

jpgpuyo avatar Jun 06 '25 18:06 jpgpuyo

Now I have tried also with HttpEngine and not working with Zscaler.

val httpEngine = HttpEngine.Builder(context).build()
return DefaultMediaSourceFactory(HttpEngineDataSource.Factory(httpEngine, Executors.newSingleThreadExecutor()))

Is there any certificates configuration that can be applied to Exoplayer builder to deal with Zscaler issues?

Thanks!

jpgpuyo avatar Jun 06 '25 18:06 jpgpuyo

ExoPlayer allows you to customize each HTTP stack with its own API (these are generally passed as a parameter to the respective ExoPlayer DataSource.Factory constructor):

There isn't any other ExoPlayer-specific network/certification config API.

This network security config works for other network calls (for instance, network calls related to firebase), but this configuration is not working for exoplayer.

You should work out what the difference is between the HTTP stack used in these successful calls and your ExoPlayer calls. This could include reproducing the error you're seeing in ExoPlayer outside of ExoPlayer by using the same HTTP stack you're using in ExoPlayer.

I continue to think this isn't an ExoPlayer/media3 question, but a more general Android networking question (and therefore out of scope for this issue tracker).

icbaker avatar Jun 12 '25 10:06 icbaker

Hello, by the moment I will not dedicate more time to this issue, as I can test in a real device, and if you think that this isn't a Exoplayer media3 question, then probably you are right. Thanks!

jpgpuyo avatar Jul 15 '25 17:07 jpgpuyo