@blake.meike yes, apparently there’s a requirement that if you have a <domain-config> defined (“Domain specific configuration”), even if it’s to set cleartextTrafficPermitted="true", it requires implementing checkServerTrusted(X509Certificate[], String, String) in some way. This function is part of the X509TrustManager API. The only time I’ve had to work with this API was getting a local proxy working, where I wanted to bypass certificate checks.
I’m targeting the latest API 30. Not sure which API level this behavior begins in. This is the network_security_config.xml I was using to allow insecure ws: traffic:
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">localhost</domain>
<domain includeSubdomains="true">192.168.100.158</domain>
</domain-config>
</network-security-config>
Maybe the fact that the sync gateway endpoint I was connecting to with wss: wasn’t one of the local hostname or IP in the config had something to do with it? After commenting out the config entirely, it connected without issue.