#1908 - [GH-ISSUE #1917] Proxyman | Android | Internal error with 999 error code | SSL Handshake failed - starred/Proxyman

kerem commented

2026-03-03 19:55:20 +03:00

Owner

Originally created by @petrovickristina on GitHub (Jan 20, 2024).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1917

Description

I've installed certificates both on MacBook and Android device, and I've turned Web proxy (HTTP) and Secure web proxy (HTTPS) ON.

Can somebody help me with resolving this issue, I don't know what else should I try?

I think that I've read everything that is on the internet util now :D
Thanks in advance!

Originally created by @petrovickristina on GitHub (Jan 20, 2024). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1917 ## Description I've installed certificates both on MacBook and Android device, and I've turned Web proxy (HTTP) and Secure web proxy (HTTPS) ON. Can somebody help me with resolving this issue, I don't know what else should I try? I think that I've read everything that is on the internet util now :D Thanks in advance!

kerem added the

question

label

2026-03-03 19:55:20 +03:00

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Jan 21, 2024):

@petrovickristina May I ask: Have you finished the step 5th on this Docs: https://docs.proxyman.io/debug-devices/android-device

Add res/xml/network_security_config.xml
Add to AndroidManifest.xml

New Android API doesn't accept any user certificate until we config it in these files. Otherwise, you will get SSL Error when intercepting HTTPS from your Android app.

@NghiaTranUIT commented on GitHub (Jan 21, 2024): @petrovickristina May I ask: Have you finished the step 5th on this Docs: https://docs.proxyman.io/debug-devices/android-device - Add res/xml/network_security_config.xml - Add to AndroidManifest.xml New Android API doesn't accept any user certificate until we config it in these files. Otherwise, you will get SSL Error when intercepting HTTPS from your Android app.

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@petrovickristina commented on GitHub (Jan 22, 2024):

Hi @NghiaTranUIT Thanks a lot, adding that additional part of a code helped with Internal errors, but now I can’t see all traffic.
I can only see calls for one domain, do you have maybe another proposal what should I try to do for that issue?

@petrovickristina commented on GitHub (Jan 22, 2024): Hi @NghiaTranUIT Thanks a lot, adding that additional part of a code helped with Internal errors, but now I can’t see all traffic. I can only see calls for one domain, do you have maybe another proposal what should I try to do for that issue?

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Jan 22, 2024):

So it works.

To see all HTTPS traffic, it depends on what network library you're using?

Do you use native Android or flutter or React Native for Android?
and what the name of the network library? Some libraries doesn't respect the system proxy, it goes straight to the Internet. Thus, Proxyman or other web proxy tools can't capture all traffic

@NghiaTranUIT commented on GitHub (Jan 22, 2024): So it works. To see all HTTPS traffic, it depends on what network library you're using? 1. Do you use native Android or flutter or React Native for Android? 2. and what the name of the network library? Some libraries doesn't respect the system proxy, it goes straight to the Internet. Thus, Proxyman or other web proxy tools can't capture all traffic

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@petrovickristina commented on GitHub (Jan 22, 2024):

Native
We’re using Retrofit

@petrovickristina commented on GitHub (Jan 22, 2024): 1. Native 2. We’re using Retrofit

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Jan 22, 2024):

@petrovickristina it seems Retrofit doesn't accept Proxyman self-signed certificate, even though it's trusted in the Android System.

You have to add some config to tell Retrofit to accept it. Here is a code sample: https://futurestud.io/tutorials/retrofit-2-how-to-trust-unsafe-ssl-certificates-self-signed-expired

or

https://gist.github.com/demixdn/3886de5a71dc2812c8f4d27a248a506b

@NghiaTranUIT commented on GitHub (Jan 22, 2024): @petrovickristina it seems Retrofit doesn't accept Proxyman self-signed certificate, even though it's trusted in the Android System. You have to add some config to tell Retrofit to accept it. Here is a code sample: https://futurestud.io/tutorials/retrofit-2-how-to-trust-unsafe-ssl-certificates-self-signed-expired or https://gist.github.com/demixdn/3886de5a71dc2812c8f4d27a248a506b

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@VidojeMuric commented on GitHub (Jan 25, 2024):

Hi @NghiaTranUIT , I will also jump in since we are both on a same project :)

I have noticed that we have problem communicating with Firebase Firestore when we turn on Proxyman. We are receiving a message:

Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2]

We have tried all suggestions mentioned above, but nothing helps. Do you have any additional suggestion?

@VidojeMuric commented on GitHub (Jan 25, 2024): Hi @NghiaTranUIT , I will also jump in since we are both on a same project :) I have noticed that we have problem communicating with Firebase Firestore when we turn on Proxyman. We are receiving a message: _Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2]_ We have tried all suggestions mentioned above, but nothing helps. Do you have any additional suggestion?

kerem commented

2026-03-03 19:55:21 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Jan 25, 2024):

I suggest not using the SSL Proxying on the Firebase domains, to make it works.

Firebase only supports HTTP/2 (h2) that Proxyman doesn't support (only HTTP/1.1)

@NghiaTranUIT commented on GitHub (Jan 25, 2024): I suggest not using the SSL Proxying on the Firebase domains, to make it works. Firebase only supports HTTP/2 (h2) that Proxyman doesn't support (only HTTP/1.1)

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Jan 25, 2024):

@VidojeMuric You can open the Tool menu -> SSL Proxying List -> remove the Firebase domains.

By doing it, Proxyman just proxies these data without intercepting it.

@NghiaTranUIT commented on GitHub (Jan 25, 2024): @VidojeMuric You can open the Tool menu -> SSL Proxying List -> remove the Firebase domains. By doing it, Proxyman just proxies these data without intercepting it.

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@VidojeMuric commented on GitHub (Jan 25, 2024):

Hi @NghiaTranUIT , thanks for a quick reply and help! In SSL Proxying list we didn't have Firebase domains. Only domains of our app. And the error is the same

[WatchStream]: (7208c20) Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2]
at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate

@VidojeMuric commented on GitHub (Jan 25, 2024): Hi @NghiaTranUIT , thanks for a quick reply and help! In SSL Proxying list we didn't have Firebase domains. Only domains of our app. And the error is the same [WatchStream]: (7208c20) Stream closed with status: Status{code=UNAVAILABLE, description=null, cause=java.lang.RuntimeException: TLS ALPN negotiation failed with protocols: [h2] at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@jsonITP commented on GitHub (Mar 7, 2024):

Hi @NghiaTranUIT, I'm experiencing the same issue.
We've added both xml files with the exception of <certificates src="user" /> in <base-config cleartextTrafficPermitted="true">
This is also React-native with OKhttp as network lib.
All certificates should be correct, but when i'm using proxy with Android I keep getting:

@jsonITP commented on GitHub (Mar 7, 2024): Hi @NghiaTranUIT, I'm experiencing the same issue. We've added both xml files with the exception of `<certificates src="user" />` in `<base-config cleartextTrafficPermitted="true">` This is also React-native with OKhttp as network lib. All certificates should be correct, but when i'm using proxy with Android I keep getting: ![Screenshot 2024-02-29 at 10 33 49](https://github.com/ProxymanApp/Proxyman/assets/120453708/4b4373ea-d36b-408a-ab71-0e3d6ee43ef7)

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Mar 7, 2024):

From what I google, OkHTTP doesn't use the certificate in your system Android. You have to accept it manually. Here is the tutorial on how to accept a self-signed certificate: https://www.baeldung.com/okhttp-self-signed-cert

If it's okay, then, Proxyman can decrypt your HTTPS data.

Sample Code: https://gist.github.com/rybalkinsd/940a35ccefb9849c887ccf32d3be744b

@NghiaTranUIT commented on GitHub (Mar 7, 2024): From what I google, OkHTTP doesn't use the certificate in your system Android. You have to accept it manually. Here is the tutorial on how to accept a self-signed certificate: https://www.baeldung.com/okhttp-self-signed-cert If it's okay, then, Proxyman can decrypt your HTTPS data. Sample Code: https://gist.github.com/rybalkinsd/940a35ccefb9849c887ccf32d3be744b

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@bitcrumb commented on GitHub (Mar 19, 2024):

@NghiaTranUIT Why is there a <debug-overrides> in the network config when the types of certificates trusted (user & system) in the <base-config> are exactly the same?

Shouldn't the <base-config> exclude user certificates by default for security reasons?

<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <!-- Trust user added CAs while debuggable only -->
      <certificates src="user" />
      <certificates src="system" />
    </trust-anchors>
  </debug-overrides>

  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <certificates src="system" />
      <certificates src="user" /> <!-- shouldn't this be removed? !-->
    </trust-anchors>
  </base-config>
</network-security-config>

@bitcrumb commented on GitHub (Mar 19, 2024): @NghiaTranUIT Why is there a `<debug-overrides>` in the network config when the types of certificates trusted (user & system) in the `<base-config>` are exactly the same? Shouldn't the `<base-config>` *exclude* user certificates by default for security reasons? ``` <network-security-config> <debug-overrides> <trust-anchors>  <certificates src="user" /> <certificates src="system" /> </trust-anchors> </debug-overrides> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> <certificates src="user" />  </trust-anchors> </base-config> </network-security-config> ```

kerem commented

2026-03-03 19:55:22 +03:00

Author

Owner

@iamyorchdev commented on GitHub (Nov 25, 2025):

I was getting the same errors (not only for New Relic but all requests from my Android app, screenshot is just for reference).

Turns out I accidentally enabled the Use External Proxy option by pressing Cmd + Opt + E in Mac OS.

After disabling it, everything started working again.

@iamyorchdev commented on GitHub (Nov 25, 2025): I was getting the same errors (not only for New Relic but all requests from my Android app, screenshot is just for reference). <img width="861" height="179" alt="Image" src="https://github.com/user-attachments/assets/34fea651-fbfb-4945-874a-50604d7ded88" /> Turns out I accidentally enabled the **Use External Proxy** option by pressing Cmd + Opt + E in Mac OS. <img width="498" height="619" alt="Image" src="https://github.com/user-attachments/assets/c4e3f819-5e3e-4244-b99e-7cb80adf75c1" /> After disabling it, everything started working again.

Rows
Columns

[GH-ISSUE #1917] Proxyman | Android | Internal error with 999 error code | SSL Handshake failed #1908

Description