Proguard, HttpClient and SSLPeerUnverifiedException

Question

I want to use ProGuard in my app. I use org.apache.http.impl.client.DefaultHttpClient to send requests to the server. Without Proguard it works good, but when I turn on the ProGuard I can build the app, but in run-time when I run the app I received the following exception:

javax.net.ssl.SSLPeerUnverifiedException No peer certificate
    at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java146)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java388)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java555)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java487)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java465)
    at com.newrelic.agent.android.instrumentation.HttpInstrumentation.execute(HttpInstrumentation.java165)
    at com.abc.communication.CommunicationManager.sendRequest(CommunicationManager.java765)
    at com.abc.communication.CommunicationManager.sendPingRequest(CommunicationManager.java616)
    at com.abc.communication.CommunicationManager.access$100(CommunicationManager.java94)
    at com.abc.communication.CommunicationManager$1.run(CommunicationManager.java190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java1112)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java587)
    at java.lang.Thread.run(Thread.java841)

I can't understand where the problem. I disabled shrink and optimization, but it not helped. Also I tried to enable shrink option only, i.e. obfuscation and optimization were disabled, but it not helped too.

To build my app I use maven. Part of my pom file:

<plugin>
    <groupId>com.jayway.maven.plugins.android.generation2</groupId>
    <artifactId>android-maven-plugin</artifactId>
    <version>3.8.1</version>

    <dependencies>
        <dependency>
        <groupId>net.sf.proguard</groupId>
        <artifactId>proguard-base</artifactId>
        <version>5.2.1</version>
        </dependency>
    </dependencies>

    <configuration>
        <release>true</release>
        <sdk>
            <platform>22</platform>
        </sdk>
        <undeployBeforeDeploy>false</undeployBeforeDeploy>

        ...

        <proguard>
            <skip>false</skip>
            <config>proguard.cfg</config>
            <configs>
                <config>proguard-android.txt</config>
            </configs>
            <outputDirectory>proguard-files</outputDirectory>
            <filterMavenDescriptor>true</filterMavenDescriptor>
            <filterManifest>true</filterManifest>
        </proguard>
    </configuration>
    <extensions>true</extensions>
</plugin>

proguard-android.txt is standard file from the SDK folder

# This is a configuration file for ProGuard.
# http://proguard.sourceforge.net/index.html#manual/usage.html

-dontusemixedcaseclassnames
-dontskipnonpubliclibraryclasses
-verbose

# Optimization is turned off by default. Dex does not like code run
# through the ProGuard optimize and preverify steps (and performs some
# of these optimizations on its own).
-dontoptimize
-dontpreverify
# Note that if you want to enable optimization, you cannot just
# include optimization flags in your own project configuration file;
# instead you will need to point to the
# "proguard-android-optimize.txt" file instead of this one from your
# project.properties file.

-keepattributes *Annotation*
-keep public class com.google.vending.licensing.ILicensingService
-keep public class com.android.vending.licensing.ILicensingService

# For native methods, see http://proguard.sourceforge.net/manual/examples.html#native
-keepclasseswithmembernames class * {
    native <methods>;
}

# keep setters in Views so that animations can still work.
# see http://proguard.sourceforge.net/manual/examples.html#beans
-keepclassmembers public class * extends android.view.View {
   void set*(***);
   *** get*();
}

# We want to keep methods in Activity that could be used in the XML attribute onClick
-keepclassmembers class * extends android.app.Activity {
   public void *(android.view.View);
}

# For enumeration classes, see http://proguard.sourceforge.net/manual/examples.html#enumerations
-keepclassmembers enum * {
    public static **[] values();
    public static ** valueOf(java.lang.String);
}

-keep class * implements android.os.Parcelable {
  public static final android.os.Parcelable$Creator *;
}

-keepclassmembers class **.R$* {
    public static <fields>;
}

# The support library contains references to newer platform versions.
# Don't warn about those in case this app is linking against an older
# platform version.  We know about them, and they are safe.
-dontwarn android.support.**

My proguard.cfg file:

-keep public class * extends android.app.Activity

-keep public class * extends android.app.Application

-keep public class * extends android.app.Service
-keep public class * extends android.content.BroadcastReceiver

-keepclasseswithmembers class * {
    public <init>(android.content.Context, android.util.AttributeSet);
}

-keepclasseswithmembers class * {
    public <init>(android.content.Context, android.util.AttributeSet, int);
}

-keep class com.newrelic.** { *; }
-dontwarn com.newrelic.**
-keepattributes Exceptions, Signature, InnerClasses

-keep public class javax.net.ssl.**
-keepclassmembers public class javax.net.ssl.** { *; }

-keep class org.spongycastle.* { *; }
-dontwarn org.spongycastle.*

-keep class org.apache.http.** { *; }
-keepclassmembers public class org.apache.http.** { *; }
-dontwarn org.apache.http.**
-keep class com.abc.communication.CommunicationManager { *; }
-keep class com.abc.communication.CommunicationManager$* { *; }

-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,EnclosingMethod

Answer 1

The problem was that in lines:

-keep class org.spongycastle.* { *; }
-dontwarn org.spongycastle.*

I used *. It's wrong. You must use **.

* means "don't touch all classes in this package"
** means "don't touch all classes in the package and all sub-packages"

Thanks to all.