My android project is using api 15. I am connecting to a server over https using the HttpsURLConnection class. Everything works just fine over WiFi but if I turn off WiFi and run over 3g I get the following :

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.       at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:413)
   at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:257)       at libcore.net.http.HttpConnection.setupSecureSocket(HttpConnection.java:210)
   at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:477)
   at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:432)
   at libcore.net.http.HttpEngine.sendSocketRequest(HttpEngine.java:282)
   at libcore.net.http.HttpEngine.sendRequest(HttpEngine.java:232)       at libcore.net.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:80)
   at libcore.net.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:188)       at libcore.net.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:280)

If I am doing something wrong, why would it work over WiFi?

A bit more information here.

If I use openssl to view the server certificate info,

echo | openssl s_client -connect myserver.com:443

returns a server-level self-signed cert whereas

echo | openssl s_client -connect myserver.com:443 -servername myserver.com

returns the 'correct' certificate. I have multiple vhosts on my server, each with their own rapidssl-issued cert so I 'think' that means I need to use a TLS-enabled client. At least that is my interpretation of the message I see in my Apache log on startup :

Name-based SSL virtual hosts only work for clients with TLS server name indication support

If I am correct so far, does that mean my mobile 3g network could be screwing with the TLS or is there something else I should be doing?

I can get things to work over 3g by subclassing DefaultHttpClient and importing a keystore containing the servers self-signed cert but that is definitely not my preferred option.

Adding -servername option simply sets the Server Name Indication field in Client Hello message which helps us to select the correct certificate if target host contains many, just like in your case. However, it's not related to the problem.

During SSL handshake, certificates are delivered in subject/issuer pairs, forming a certificate chain.

I.e. google.com certificate chain looks like this:

openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

Once received, the client tries to validate all issuers in the chain from bottom to top (root). If client couldn't validate root certificate, Trust anchor for certification path not found message appears.

So, back to the WiFi/3G issue, probably your mobile network's DNS couldn't resolve the address of one of the middle-issuers in your certificate chain.

UPDATE:

You can put your issuers' certificates into your APK and add via TrustManager in your code. This approach may overcome access network restrictions (if any).